# Exploit Title   : gpEasy CMS Malicious File Upload
# Date            : 4 June 2013
# Exploit Author  : CWH Underground
# Site            : www.2600.in.th
# Vendor Homepage : http://gpeasy.com/
# Software Link   : http://gpeasy.com/Special_gpEasy?cmd=dlzip
# Version         : 4.0
# Tested on       : Window and Linux
 
  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /         
  / XXXXXX /
 (________(           
  `------'
 
 
#####################################################
DESCRIPTION
#####################################################
 
gpEasy CMS that permission is provided a file upload function to authenticated users. Allows for write/read/edit/delete download arbitrary
file uploaded (Upload location is centralized) , which results attacker might arbitrary write/read/edit/delete files and folders.

Moreover, Upload function allow attacker to upload PHP file lead attacker to compromise system.In order to exploit the vulnerability 
a valid user in the web is required.
 
#####################################################
EXPLOIT POC
#####################################################
 
1. Logged in as User's privilege 
2. Access http://target/gpeasy/Admin_Uploaded
3. Able to access centralize upload folder
4. Malicious File Upload (Shell.php)
5. For access shell, http://target/gpeasy/data/_uploaded/Shell.php
6. Server Compromised !!
 
################################################################################################################
 Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################