IDIC Blogs Shell Upload

2012-11-12T00:00:00
ID PACKETSTORM:118037
Type packetstorm
Reporter cr4wl3r
Modified 2012-11-12T00:00:00

Description

                                        
                                            ` \#'#/  
(-.-)  
--------------------oOO---(_)---OOo----------------------  
| IDIC Blogs Arbitrary File Upload Vulnerability |  
---------------------------------------------------------  
[!] Discovered: cr4wl3r <cr4wl3r[!]linuxmail.org>  
[!] Site: http://0xuht.org  
[!] Download: http://sourceforge.net/projects/idicblogs/files/  
[!] Version: -  
[!] Date: 12.11.2012  
[!] Remote: yes  
[!] Tested: Ubuntu  
[!] Reference: http://0xuht.org/Exploit/idic-blog.txt  
  
[!] Details:  
By issuing a POST request with a webshell  
embedded in a JPEG or PJPEG image it is possible to upload  
  
  
[!] Vulnerability Code [picture_upload.php] :  
  
<?   
} elseif (isset($_POST['subpage']) && $_POST['subpage'] == 'upload') {  
  
$idir="./members_orgimage/";   
$string = md5(rand(0,9999));  
$harland = substr($string, 17, 5);  
  
$url = $_FILES['imagefile']['name']; /* Set $url To Equal The Filename For Later Use */  
if ($_FILES['imagefile']['type'] == "image/jpg" || $_FILES['imagefile']['type'] == "image/jpeg" || $_FILES['imagefile']['type'] == "image/pjpeg") {   
  
// $file_ext = strrchr($_FILES['imagefile']['name'], '.');   
// $file_ext = strrchr($_FILES['imagefile']['name'], ".");   
$file_ext = strtolower(substr(strrchr($_FILES['imagefile']['name'], "."), 1));  
  
/* Get The File Extention In The Format Of , For Instance, .jpg, .gif or .php */  
$copy = copy($_FILES['imagefile']['tmp_name'], "$idir" . $_FILES['imagefile']['name']);   
/* Move Image From Temporary Location To Permanent Location */  
if ($copy) {  
$newimage = "$harland-$url";  
  
cropImage("50", "50", "./members_orgimage/$url", "jpg", "./members_thumbs/$newimage");  
  
$query = mysql_query("UPDATE blogssmembers SET picname='$newimage' WHERE username='$ses_bloguser'") or die (mysql_error());  
$result = mysql_query($query);  
  
$es = 'Image uploaded successfully.<br />';   
}else{  
$es = 'ERROR: Unable to upload image<br />';   
}  
} else {  
$es = 'ERROR: Wrong filetype (has to be a .jpg or .jpeg.)<br />';   
}   
}  
if($es){  
?>  
  
  
[!] PoC (Piye om Carane):  
  
[IDIC_Blogs]/picture_upload.php  
  
[!] Shell:  
  
[IDIC_Blogs]//members_orgimage/shell.php.pjpeg  
  
[!] Demo:  
  
http://0xuht.org/demo/idic-blog1.png  
http://0xuht.org/demo/idic-blog2.png  
  
[!] Thanks: packetstormsecurity  
  
// Gorontalo [2012-11-12]  
`