ProjectPier 0.8.8 Shell Upload

2012-10-03T00:00:00
ID 1337DAY-ID-19499
Type zdt
Reporter BlackHawk
Modified 2012-10-03T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ProjectPier <= 0.8.8 Remote Code Execution by BlackHawk

Thanks to alisael for the time spent together. Half credits goes to her ;)

01/11/2012
ProjectPier come with a upload.php file under ./tools/, that is the GUI for  upload_file.php

----------------------------
<?php
header("Content-Type: text/plain");

  if ($_FILES["file"]["error"] > 0) {
    echo $_FILES["file"]["error"] . " " . $_FILES["file"]["name"] . " " . $_FILES["file"]["tmp_name"];
  } else {

    $folder = rtrim( './upload/' . $_POST['folder'] , '/');
    @mkdir($folder, 0777, true);

    $seq = str_pad((int) $_POST["part"],4,"0",STR_PAD_LEFT);
    move_uploaded_file($_FILES["file"]["tmp_name"],
    $folder . '/' . $_FILES["file"]["name"] . '-' . $seq ); // <-- XXXX
    echo $_FILES["file"]["error"] . " " . $folder . '/' . $_FILES["file"]["name"] . '-' . $seq;
  }
?>

-----------------------------

the file is uploaded in a fresh made dir, with the original name PLUS a minus (-) PLUS a sequence of 4 digits.
As Apache, if the filename got 2 extension (filename.one.two), when do not recognize the exstension (two), try to recognize the first one (one), and act as it's the correct one, you just need to rename a PHP shell in:

filename.php.1

and then call directly the file from the browser.




#  0day.today [2018-04-12]  #