header-logo
Suggest Exploit
vendor:
LibrettoCMS
by:
CWH Underground
7,5
CVSS
HIGH
Malicious File Upload
434
CWE
Product Name: LibrettoCMS
Affected Version From: 2.2.2
Affected Version To: 2.2.2
Patch Exists: NO
Related CWE: N/A
CPE: a:librettocms:librettocms:2.2.2
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows and Linux
2013

LibrettoCMS 2.2.2 Malicious File Upload

LibrettoCMS is provided a file upload function to unauthenticated users. Allows for write/read/edit/delete download arbitrary file uploaded , which results attacker might arbitrary write/read/edit/delete files and folders. LibrettoCMS use pgrfilemanager and restrict file type for upload only doc and pdf but able to rename filetype after uploaded lead attacker to rename *.doc to *.php and arbitrary execute PHP shell on webserver.

Mitigation:

Restrict file type for upload, use secure file upload mechanism, use secure coding practices, use secure authentication mechanism.
Source

Exploit-DB raw data:

# Exploit Title   : LibrettoCMS 2.2.2 Malicious File Upload
# Date            : 14 June 2013
# Exploit Author  : CWH Underground
# Site            : www.2600.in.th
# Vendor Homepage : http://libretto.artwebonline.com/
# Software Link   : http://jaist.dl.sourceforge.net/project/librettocms/librettoCMS_v.2.2.2.zip
# Version         : 2.2.2
# Tested on       : Window and Linux
 
  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /         
  / XXXXXX /
 (________(           
  `------'
 
 
#####################################################
DESCRIPTION
#####################################################
 
LibrettoCMS is provided a file upload function to unauthenticated users. Allows for write/read/edit/delete download arbitrary file uploaded , which results attacker might arbitrary write/read/edit/delete files and folders.

LibrettoCMS use pgrfilemanager and restrict file type for upload only doc and pdf but able to rename filetype after uploaded lead attacker to rename *.doc to *.php and arbitrary execute PHP shell on webserver.
 
#####################################################
EXPLOIT POC
#####################################################
 
1. Access http://target/librettoCMS/adm/ui/js/ckeditor/plugins/pgrfilemanager/PGRFileManager.php 
2. Upload PHP Shell with *.doc format (shell.doc) to PGRFileManager
3. Rename file from shell.doc to shell.php
4. Your renamed file will disappear !!
5. For access shell, http://target/librettoCMS/userfiles/shell.php
6. Server Compromised !!
 
################################################################################################################
 Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################

Navigation

Suggest Exploit

Services By CQR