Photopost vbgallery 代码注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115688 漏洞类型 代码注入
发布时间 2008-07-15 更新时间 2008-07-15
CVE编号 CVE-2008-0251 CNNVD-ID CNNVD-200801-174
漏洞平台 PHP CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/6082
https://www.securityfocus.com/bid/85174
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200801-174
|漏洞详情
PhotoPost是一套用于Web网站的图片管理工具。PhotoPostvBGallery2.4.2之前的版本中存在未限制文件上传漏洞。远程攻击者借助未知向量上传和运行任意文件。
|漏洞EXP
vBulletin PhotoPost vBGallery v2.x Remote File Upload

Found by : Cold z3ro

e-mail : exploiter@hackteach.org

Home page : www.Hack.ps

==============================

exploit usage : 

http://localhost/Forum/$gallery_path/upload.php

here the exploiter can upload php shell via this script

by renamed it's name to $name.php.wmv

but first he should be a user in the forum

thats so important to him cus the uploaded file will be

in his account nomber folder .

example :

user : Cold z3ro
http://www.hackteach.org/cc/member.php?u=4

his account nomber is 4 as shown in link ,

the uploaded file ( shell ) will be in

http://localhost/Forum/$gallery_path/files/4/$name.php.wmv

id the user Cold z3ro have acconut nomber as example ( 12345 )

the file path is 

http://localhost/Forum/$gallery_path/files/1/2/3/4/5/$name.php.wmv

===================

i want tho thank all members in www.hackteach.org forums , best work u are done.

thank u .

# hackteach.org

# milw0rm.com [2008-07-15]
|受影响的产品
PhotoPost Photopost Vbgallery 2.4.1
|参考资料

来源:XF
名称:vbgallery-unspecified-code-execution(39621)
链接:http://xforce.iss.net/xforce/xfdb/39621
来源:www.photopost.com
链接:http://www.photopost.com/forum/showthread.php?t=134910
来源:www.photopost.com
链接:http://www.photopost.com/forum/showthread.php?t=134909
来源:SECUNIA
名称:28430
链接:http://secunia.com/advisories/28430