扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |
# Exploit Title: Wolf CMS 0.8.2Arbitrary File Upload To Command Execution # Reported Date: 05-May-2015 # Fixed Date : 10-August-2015 # Exploit Author : Narendra Bhati # CVE ID : CVE-2015-6567 , CVE-2015-6568 # Contact: * Facebook : https://facebook.com/narendradewsoft *Twitter : http://twitter.com/NarendraBhatiB # Website: http://websecgeeks.com # Additional Links - * https://github.com/wolfcms/wolfcms/releases/ * https://www.wolfcms.org/blog/2015/08/10/releasing-wolf-cms-0-8-3-1.html #For POC - http://websecgeeks.com/wolf-cms-arbitrary-file-upload-to-command-execution/ 1. Description Every registered users who have access of upload functionality can upload an Arbitrary File Upload To perform Command Execution Vulnerable URL http://targetsite.com/wolfcms/?/admin/plugin/file_manager/browse/ Vulnerable Parameter "filename" 2. Proof of Concept A)Login as regular user ( who have access upload functionality ) B)Go to this page- http://targetsite.com/wolfcms/?/admin/plugin/file_manager/browse/ C)Select upload an file option to upload Arbitary File ( filename ex: "hello.php" ) D)Now you can access the file by here - http://targetsite.com/wolfcms/public/hello.php 3. Solution: Update to version 0.8.3.1 http://www.wolfcms.org/download.html ============= -- *Narendra Bhati "CEH" **( Facebook <http://www.facebook.com/narendradewsoft> , Twitter <http://www.twitter.com/NarendraBhatiB> , LinkedIn <https://www.linkedin.com/profile/view?id=115146074> , Personal Blog )* *Security Analyst - IT Risk & Security Management Services* Suma Soft Pvt. Ltd. | Suma Center | Near Mangeshkar Hospital | Erandawane Pune: 411004 | *======================================================================* |
体验盒子
