# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# CMS Etiko Arbitrary File Upload Vulnerability
# Google Dork: intext:"CMS Etiko"
# Date: 27/10/2012
# Author: Sys32
# Email: tha.Sys32[at]gmail[dot]com
# Vendor: http://www.etikweb.com/
# Category: Webapp
# Tested on: Backtrack 5 r3
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# I. INFO.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# The application allows an attacker, the ability to upload a random file to the web server.
#
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# II. Vulnerable Code.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# file => files.php
#
# function upload_file($user_id,$path){
# global $site_url,$HTTP_POST_FILES;
#
# // Upload file
# @mkdir($path,0775); // Make directory, if it doesn't exist
# @chmod($path,0775);
#
# $path="$path/";
#
# if($user_id==false) $user_id=date("YmdHmi");
#
# $file_name="$user_id-".$HTTP_POST_FILES['image']['name'];
#
# if($HTTP_POST_FILES['image']['name']){ // if a file was actually uploaded
# $HTTP_POST_FILES['image']['name']=str_replace("%","",$HTTP_POST_FILES['image']['name']); // remove any % signs from the file name
# move_uploaded_file($HTTP_POST_FILES['image']['tmp_name'],$path.$file_name); // put the file in the directory
#
# $uploaded_file="$path".$file_name;
# chmod($uploaded_file,0775);
# return $file_name;
# }
#
# return "";
# }
#
# As you can see in the code, files extensions aren't verified.
#
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# III. EXPLOIT.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# Register a new user, then login to the system, and go to the profile settings, and them upload the file throw the Picture form.
#
# Shell location:
#
# http://localhost/images/users/
#
# Shell name: $user_id -your-file.php
# $date("YmdHmi") -your-file.php
#
#
# Note: You can also find your shell by viewing the source code of the user profile page that you have made.
#
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# IV. Risk.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# The security risk of arbitrary file upload is estimated as critical.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''