phpstore phpcareers 任意文件上传漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116710 漏洞类型 权限许可和访问控制
发布时间 2008-11-10 更新时间 2009-08-12
CVE编号 CVE-2008-6931 CNNVD-ID CNNVD-200908-086
漏洞平台 PHP CVSS评分 6.5
|漏洞来源
https://www.exploit-db.com/exploits/7083
https://cxsecurity.com/issue/WLB-2009080101
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200908-086
|漏洞详情
PHPStoreJobSearch(又称作PHPCareers)中的任意文件上传漏洞。远程认证用户通过上传一个具有例如logo那样的可执行扩展名的一个文件并向jobseekers/jobseeker_profile_images的文件提交一个直接请求来访问该文件,以执行任意代码。
|漏洞EXP
PHPStore Job Search Remote File Upload

Author: ZoRLu  msn: trt-turk@hotmail.com

home: www.z0rlu.blogspot.com

N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (

-----------------------------------------


exploit:


you add this code your shell to head 

GIF89a; 

example your_shell.php:

GIF89a;
<?

...

...

...

?>

and save your_sheell.php

you register site and this site questions your photo. you upload your_shell.php

you clikc to view resume and open new page ( direckt link: http://localhost/script/preview.php )

you must see your photo 

and right click to your photo select to properites 

after copy photo link and paste your explorer go your shell

your_shell.php

http://localhost/script/jobseekers/jobseeker_profile_images/[id]_offer_your_shel.php


---------------------------------------------

example for demo:

shell: ( not permission for demo server )

http://www.phpstore.info/demos/phpcareers/jobseekers/jobseeker_profile_images/1226242993_offer_c.php


http://www.phpstore.info/demos/phpcareers/jobseekers/jobseeker_profile_images/ ( you look here and see shell 1226242993_offer_c.php )

------------------------------------------------

thanks: str0ke & yildirimordulari.org  &  darkc0de.com

# milw0rm.com [2008-11-10]
|参考资料

来源:XF
名称:jobsearch-jobseeker-file-upload(52447)
链接:http://xforce.iss.net/xforce/xfdb/52447
来源:VUPEN
名称:ADV-2008-3099
链接:http://www.vupen.com/english/advisories/2008/3099
来源:MILW0RM
名称:7083
链接:http://www.milw0rm.com/exploits/7083
来源:SECUNIA
名称:32626
链接:http://secunia.com/advisories/32626
来源:OSVDB
名称:50295
链接:http://osvdb.org/50295