Etiko CMS Arbitrary File Upload Vulnerability

2012-10-31T00:00:00
ID 1337DAY-ID-19661
Type zdt
Reporter Sys32
Modified 2012-10-31T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# CMS Etiko Arbitrary File Upload Vulnerability
# Google Dork: intext:"CMS Etiko"
# Date: 27/10/2012
# Author: Sys32
# Email: tha.Sys32[at]gmail[dot]com
# Vendor: http://www.etikweb.com/
# Category: Webapp
# Tested on: Backtrack 5 r3
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# I. INFO.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# The application allows an attacker, the ability to  upload a random file to the web server.
#
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# II. Vulnerable Code.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# file => files.php
# 
#  function upload_file($user_id,$path){
#  global $site_url,$HTTP_POST_FILES;
#
#  // Upload file
#  @mkdir($path,0775); // Make directory, if it doesn't exist
#  @chmod($path,0775);
#
#  $path="$path/";
#
#  if($user_id==false) $user_id=date("YmdHmi");
#
#  $file_name="$user_id-".$HTTP_POST_FILES['image']['name'];
#
#  if($HTTP_POST_FILES['image']['name']){ // if a file was actually uploaded
#    $HTTP_POST_FILES['image']['name']=str_replace("%","",$HTTP_POST_FILES['image']['name']); // remove any % signs from the file name
#    move_uploaded_file($HTTP_POST_FILES['image']['tmp_name'],$path.$file_name); // put the file in the directory
#
#    $uploaded_file="$path".$file_name;
#    chmod($uploaded_file,0775);
#    return $file_name;
#    }
#
#  return "";
#  }
#
#  As you can see in the code, files extensions aren't verified.
#
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# III. EXPLOIT.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# Register a new user, then login to the system, and go to the profile settings, and them upload the file throw the Picture form.
# 
# Shell location:
#
# http://localhost/images/users/
#
# Shell name: $user_id -your-file.php 
#             $date("YmdHmi") -your-file.php
#
#
# Note: You can also find your shell by viewing the source code of the user profile page that you have made.
#
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# IV. Risk.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# The security risk of arbitrary file upload is estimated as critical.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

#  0day.today [2018-01-01]  #