MyBB Uploader 1.1.2 Shell Upload

路人甲    2014-03-15 07:52:31

漏洞描述

			MyBB Uploader plugin version 1.1.2 suffers from a remote shell upload vulnerability.

测试代码

				# Exploit Title: Mybb Plugin uploader 1.1.2 plugin Upload shell

# Date: 2014

# Exploit Author: IRH

# Tested on : 7,8

# version: 1.1.2

# Software Link: http://mods.mybb.com/download/plugin-uploader

# ScreenShot : http://uploaderx.persiangig.com/pluginuploader_upload.png


***************************************************

Exploit :


http://localhost/mybb/admin/index.php?module=config-plugins&action=pluginuploader


Info :


Put the shell into zip and upload plugin (zip) to plugin uploader 

in mybb admin panel , now files in zip Extract in inc/plugins directory 

u can load your shell to /inc/plugins/pluginName/sh3ll.php


***************************************************

Vulnerability code :

if($mybb->input['from_mods_site'] == 1)
      
{
        $plugin_temp_name = $mybb->input['plugin_name'];
        
$path = MYBB_ROOT . "inc/plugins/temp/" . $plugin_temp_name;
        $pathinfo = array('extension' => 'zip');
        
$file_path = MYBB_ROOT . "inc/plugins/temp/" . $plugin_temp_name . ".zip";
  
}

------------------------------

// try to open the zip
          if(!@$zip->open($file_path))
          {
            flash_message($lang->pluginuploader_error_upload, 'error');
            admin_redirect("index.php?module=config-plugins&action=pluginuploader");
          }
          
          // try to create a temporary directory for the files
          if(!pluginuploader_create_temp_dir($plugin_temp_name))
          {
            flash_message($lang->pluginuploader_error_temp_dir, 'error');
            admin_redirect("index.php?module=config-plugins&action=pluginuploader");
          }
          
          // try to extract the files to the temp directory
          if(!@$zip->extractTo($path))
          {
            flash_message($lang->pluginuploader_error_extract, 'error');
            admin_redirect("index.php?module=config-plugins&action=pluginuploader");
          }
          
          $zip->close();
          break;
        case "php":
          // try to create a temporary directory for the file
          if(!pluginuploader_create_temp_dir($plugin_temp_name))
          {
            flash_message($lang->pluginuploader_error_temp_dir, 'error');
            admin_redirect("index.php?module=config-plugins&action=pluginuploader");
          }


***************************************************

TnX To :

MojiRider,V30sharp,Black.viper,Zer0killer,SecretWalker,FarBodEzrail,Mrsco,Amirio,AL1R3​Z4,3is@,Mr.a!i,Mr.3ler0n,Irblackhat,inj3ct0r,3inst3in,Remot3r,scoot3r,IRH Member

./IRaNHaCK.org