Kleophatra 0.1.4 0day Arbitrary Upload File Vulnerability

2011-03-19T00:00:00
ID 1337DAY-ID-15648
Type zdt
Reporter Xr0b0t
Modified 2011-03-19T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            [!]===========================================================================[!]

[~] Kleophatra 0.1.4 0day Arbitrary Upload File Vulnerability
[~] Author : Xr0b0t ([email protected])
[~] Homepage : www.indonesiancoder.com | xrobot.mobi | mc-crew.net | exploit-id.com
[~] Date : 18 Mart, 2010
[~] Tested on : BlackBuntu RC2

[!]===========================================================================[!]

[ Software Information ]

[+] Vendor : http://portal.kleophatra.org
[+] Download : http://releases.kleophatra.org/kleophatra.zip
[+] Price : free
[+] Vulnerability : Upload File
[+] Dork : "powered by Kleophatra" ;)
[+] Version : Kleo 0.1.4

[!]===========================================================================[!]

Vulnerable Javascript Source Code:
    in users.php
    ------------------------------------------------------------------------
              function show_avatar(&$abuff){
            $uid = $_SESSION['uid'];
            $this->tpl_load('avatar.tpl', $abuff);

            if(isset($_POST['do_avatar'])){
                $this->do_avatar();
            }
    
        }
    ------------------------------------------------------------------------    
    in avatar.tpl
    ------------------------------------------------------------------------    
    <div align="center">
    <h1>{=lang(L_CHANGE_AVATAR)}</h1>
    <form method="post" enctype="multipart/form-data">
        {=lang(L_AVATAR)}:<br/>
        <input type="file" name="avatar" id="avatar" style="height:25px;" /><br/><br/>
        <input type="submit" name="do_avatar" value="{=lang(L_CHANGE_AVATAR)}" /><br/><br/>
    </form>
    </div>    
    ------------------------------------------------------------------------    
    
[ Default Site ]
    http://127.0.0.1/kleo/



[ XpL ]

    [~] Step 1 : Find A CMS With Google Dork
 
    [~] Step 2: Register In This Site
 
    [~] Step 3: Click On Change Your Avatar
    
    [~] Step 4: Click On Upload Images
 
    [~] Step 5: Click On File Will Be Uploaded ( Uploaded The File *.php or *.jgp)
 
    [~] Step 6: And Click on Change Your Avatar
 
    [~] Step 7: You Will See the file media/avatars/"username"/"the file"
       
    
[ Demo ]
    
    Site    : http://portal.kleophatra.org/
    
    exploit : http://portal.kleophatra.org/index.php?module=users&action=avatar
              "Upload The shell.php in change your avatar"
    
    Result    : http://portal.kleophatra.org/media/avatars/Xr0b0t/shell.php    

    
    with a default configuration of this script, an attacker might be able to upload arbitrary
    files containing malicious PHP code due to multiple file extensions isn't properly checked
    
    Goo The IndonesianCoder!!!
[!]===========================================================================[!]

[ Thx TO ]

[+] Don Tukulesto DUDUl Kok G rene2... Kal0ng 666 Cepet Jadikan Ntu PRoyek
[+] INDONESIAN CODER TEAM IndonesianHacker Malang CYber CREW Magelang Cyber
[+] tukulesto,M3NW5,arianom,N4CK0,abah_benu,d0ntcry,bobyhikaru,gonzhack,senot
[+] Contrex,YadoY666,yasea,bugs,Ronz,Pathloader,cimpli,MarahMerah.IBL13Z,r3m1ck
[+] Coracore,Gh4mb4s,Jack-,VycOd,m0rgue,otong,CS-31,Yur4kha,Geni212


[ NOTE ]

[+] OJOK JOTOS2an YO ..
[+] Minggir semua Arumbia Team Mau LEwat ;)
[+] MBEM : lup u :">

[ QUOTE ]

[+] INDONESIANCODER still r0x...
[+] ARUmBIA TEam Was Here Cuy MINGIR Kabeh KAte lewat ..
[+] Malang Cyber Crew & Magelang Cyber Community



#  0day.today [2018-02-16]  #