路人甲 2014-03-15 07:52:31
MyBB Uploader 1.1.2 Shell Upload
漏洞描述
MyBB Uploader plugin version 1.1.2 suffers from a remote shell upload vulnerability.
测试代码
# Exploit Title: Mybb Plugin uploader 1.1.2 plugin Upload shell # Date: 2014 # Exploit Author: IRH # Tested on : 7,8 # version: 1.1.2 # Software Link: http://mods.mybb.com/download/plugin-uploader # ScreenShot : http://uploaderx.persiangig.com/pluginuploader_upload.png *************************************************** Exploit : http://localhost/mybb/admin/index.php?module=config-plugins&action=pluginuploader Info : Put the shell into zip and upload plugin (zip) to plugin uploader in mybb admin panel , now files in zip Extract in inc/plugins directory u can load your shell to /inc/plugins/pluginName/sh3ll.php *************************************************** Vulnerability code : if($mybb->input['from_mods_site'] == 1) { $plugin_temp_name = $mybb->input['plugin_name']; $path = MYBB_ROOT . "inc/plugins/temp/" . $plugin_temp_name; $pathinfo = array('extension' => 'zip'); $file_path = MYBB_ROOT . "inc/plugins/temp/" . $plugin_temp_name . ".zip"; } ------------------------------ // try to open the zip if(!@$zip->open($file_path)) { flash_message($lang->pluginuploader_error_upload, 'error'); admin_redirect("index.php?module=config-plugins&action=pluginuploader"); } // try to create a temporary directory for the files if(!pluginuploader_create_temp_dir($plugin_temp_name)) { flash_message($lang->pluginuploader_error_temp_dir, 'error'); admin_redirect("index.php?module=config-plugins&action=pluginuploader"); } // try to extract the files to the temp directory if(!@$zip->extractTo($path)) { flash_message($lang->pluginuploader_error_extract, 'error'); admin_redirect("index.php?module=config-plugins&action=pluginuploader"); } $zip->close(); break; case "php": // try to create a temporary directory for the file if(!pluginuploader_create_temp_dir($plugin_temp_name)) { flash_message($lang->pluginuploader_error_temp_dir, 'error'); admin_redirect("index.php?module=config-plugins&action=pluginuploader"); } *************************************************** TnX To : MojiRider,V30sharp,Black.viper,Zer0killer,SecretWalker,FarBodEzrail,Mrsco,Amirio,AL1R3Z4,3is@,Mr.a!i,Mr.3ler0n,Irblackhat,inj3ct0r,3inst3in,Remot3r,scoot3r,IRH Member ./IRaNHaCK.org