Etiko CMS Arbitrary File Upload Vulnerability

HeRoTurk

Özel Üye
Katılım
21 Eyl 2012
Mesajlar
1,442
Tepkime puanı
0
Puanları
0
Web sitesi
p1c-m4rsel.org
[hide] Exploit Kodları

Kod:
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# CMS Etiko Arbitrary File Upload Vulnerability
# Google Dork: intext:"CMS Etiko"
# Date: 27/10/2012
# Author: Sys32
# Email: tha.Sys32[at]gmail[dot]com
# Vendor: http://www.etikweb.com/
# Category: Webapp
# Tested on: Backtrack 5 r3
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# I. INFO.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# The application allows an attacker, the ability to  upload a random file to the web server.
#
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# II. Vulnerable Code.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# file => files.php
# 
#  function upload_file($user_id,$path){
#  global $site_url,$HTTP_POST_FILES;
#
#  // Upload file
#  @mkdir($path,0775); // Make directory, if it doesn't exist
#  @chmod($path,0775);
#
#  $path="$path/";
#
#  if($user_id==false) $user_id=date("YmdHmi");
#
#  $file_name="$user_id-".$HTTP_POST_FILES['image']['name'];
#
#  if($HTTP_POST_FILES['image']['name']){ // if a file was actually uploaded
#    $HTTP_POST_FILES['image']['name']=str_replace("%","",$HTTP_POST_FILES['image']['name']); // remove any % signs from the file name
#    move_uploaded_file($HTTP_POST_FILES['image']['tmp_name'],$path.$file_name); // put the file in the directory
#
#    $uploaded_file="$path".$file_name;
#    chmod($uploaded_file,0775);
#    return $file_name;
#    }
#
#  return "";
#  }
#
#  As you can see in the code, files extensions aren't verified.
#
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# III. EXPLOIT.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# Register a new user, then login to the system, and go to the profile settings, and them upload the file throw the Picture form.
# 
# Shell location:
#
# http://localhost/images/users/
#
# Shell name: $user_id -your-file.php 
#             $date("YmdHmi") -your-file.php
#
#
# Note: You can also find your shell by viewing the source code of the user profile page that you have made.
#
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# IV. Risk.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# The security risk of arbitrary file upload is estimated as critical.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Backtrack 5 r3 İle Denenmiştir..

Google Dork : intext:"CMS Etiko"

Bir Exploit Sitesinden Buldum

İşinize Yaradıysa Rep Ve Teşekkürü Hor Görmeyin :)

[/hide]
 

DarkBLue

*Vıp Projection
Katılım
28 Eyl 2012
Mesajlar
877
Tepkime puanı
0
Puanları
16
Web sitesi
darkbluetr.blogspot.com
Saol :)
 

SiLenTRaGe

Spys-Z
Katılım
9 Eki 2012
Mesajlar
375
Tepkime puanı
0
Puanları
0
saol :D
 

Kurt

Özel Üye
Katılım
20 Eyl 2012
Mesajlar
373
Tepkime puanı
0
Puanları
0
Yaş
26

DarkBLue

*Vıp Projection
Katılım
28 Eyl 2012
Mesajlar
877
Tepkime puanı
0
Puanları
16
Web sitesi
darkbluetr.blogspot.com
Sağol BRO :D
 

fRaqS

Spys-Z
Katılım
21 Eyl 2012
Mesajlar
538
Tepkime puanı
0
Puanları
0
sağol ;)
 

mersin escort bodrum escort alanya escort kayseri escort konya escort marmaris escort bodrum escort tto dermodicos vozol puff
Üst
Copyright® Ajanlar.org 2012