gpEasy CMS 4.0 Shell Upload

2013.06.05
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

# Exploit Title : gpEasy CMS Malicious File Upload # Date : 4 June 2013 # Exploit Author : CWH Underground # Site : www.2600.in.th # Vendor Homepage : http://gpeasy.com/ # Software Link : http://gpeasy.com/Special_gpEasy?cmd=dlzip # Version : 4.0 # Tested on : Window and Linux ,--^----------,--------,-----,-------^--, | ||||||||| `--------' | O .. CWH Underground Hacking Team .. `+---------------------------^----------| `\_,-------, _________________________| / XXXXXX /`| / / XXXXXX / `\ / / XXXXXX /\______( / XXXXXX / / XXXXXX / (________( `------' ##################################################### DESCRIPTION ##################################################### gpEasy CMS that permission is provided a file upload function to authenticated users. Allows for write/read/edit/delete download arbitrary file uploaded (Upload location is centralized) , which results attacker might arbitrary write/read/edit/delete files and folders. Moreover, Upload function allow attacker to upload PHP file lead attacker to compromise system.In order to exploit the vulnerability a valid user in the web is required. ##################################################### EXPLOIT POC ##################################################### 1. Logged in as User's privilege 2. Access http://target/gpeasy/Admin_Uploaded 3. Able to access centralize upload folder 4. Malicious File Upload (Shell.php) 5. For access shell, http://target/gpeasy/data/_uploaded/Shell.php 6. Server Compromised !! ################################################################################################################ Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2 ################################################################################################################

References:

http://gpeasy.com/Special_gpEasy?cmd=dlzip


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top