IDIC Blogs Shell Upload

2012.11.13
Credit: cr4wl3r
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

\#'#/ (-.-) --------------------oOO---(_)---OOo---------------------- | IDIC Blogs Arbitrary File Upload Vulnerability | --------------------------------------------------------- [!] Discovered: cr4wl3r <cr4wl3r[!]linuxmail.org> [!] Site: http://0xuht.org [!] Download: http://sourceforge.net/projects/idicblogs/files/ [!] Version: - [!] Date: 12.11.2012 [!] Remote: yes [!] Tested: Ubuntu [!] Reference: http://0xuht.org/Exploit/idic-blog.txt [!] Details: By issuing a POST request with a webshell embedded in a JPEG or PJPEG image it is possible to upload [!] Vulnerability Code [picture_upload.php] : <? } elseif (isset($_POST['subpage']) && $_POST['subpage'] == 'upload') { $idir="./members_orgimage/"; $string = md5(rand(0,9999)); $harland = substr($string, 17, 5); $url = $_FILES['imagefile']['name']; /* Set $url To Equal The Filename For Later Use */ if ($_FILES['imagefile']['type'] == "image/jpg" || $_FILES['imagefile']['type'] == "image/jpeg" || $_FILES['imagefile']['type'] == "image/pjpeg") { // $file_ext = strrchr($_FILES['imagefile']['name'], '.'); // $file_ext = strrchr($_FILES['imagefile']['name'], "."); $file_ext = strtolower(substr(strrchr($_FILES['imagefile']['name'], "."), 1)); /* Get The File Extention In The Format Of , For Instance, .jpg, .gif or .php */ $copy = copy($_FILES['imagefile']['tmp_name'], "$idir" . $_FILES['imagefile']['name']); /* Move Image From Temporary Location To Permanent Location */ if ($copy) { $newimage = "$harland-$url"; cropImage("50", "50", "./members_orgimage/$url", "jpg", "./members_thumbs/$newimage"); $query = mysql_query("UPDATE blogssmembers SET picname='$newimage' WHERE username='$ses_bloguser'") or die (mysql_error()); $result = mysql_query($query); $es = 'Image uploaded successfully.<br />'; }else{ $es = 'ERROR: Unable to upload image<br />'; } } else { $es = 'ERROR: Wrong filetype (has to be a .jpg or .jpeg.)<br />'; } } if($es){ ?> [!] PoC (Piye om Carane): [IDIC_Blogs]/picture_upload.php [!] Shell: [IDIC_Blogs]//members_orgimage/shell.php.pjpeg [!] Demo: http://0xuht.org/demo/idic-blog1.png http://0xuht.org/demo/idic-blog2.png [!] Thanks: packetstormsecurity // Gorontalo [2012-11-12]

References:

http://0xuht.org
http://sourceforge.net/projects/idicblogs/files/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top