Yesterday, I found some serious vulnerabilities (yes, it has so many vulnerabilities) in a project management application. One of them are arbitrary file upload. And I also finished writing a script to exploit it.But I will not publish the vulnerabilities nor the exploit now. Maybe later after the developer has finished fixing the bugs.

Today, I open exploit-db.com to search for other application that also have arbitrary file upload vulnerability. I found some, and I choose this bug.

This bug is simple, but has very serious impact.

Let’s start :

Download the vulnerable application, you can find it here

Make a script for form upload. This process is not important, just to test upload manually.

<html>
<head>
</head>
<body>
<form name=”fileuploadexample” method=”post” enctype=”multipart/form-data”
action=”upload_process.php”>
<input type=”file” name=”f” />
<input type=”submit” name=”submit” value=”Submit” />
</form>
</body>
</html>

Make a script to process upload. I name it upload_process.php

<?php

require_once “HTTP/Upload.php”;
$upload = new HTTP_Upload(“en”);$file = $upload->getFiles(“f”);
if ($file->isValid()) {

$moved = $file->moveTo(‘uploads/’);

if (!PEAR::isError($moved)) {

echo json_encode(array(“message”=>”success”,”name”=>$file->getProp(‘name’)));

} else {

echo json_encode(array(“message”=>”error”,”name”=>”none”));    }}

elseif ($file->isMissing()) {

echo “No file was provided.”;

} elseif ($file->isError()) {

echo $file->errorMsg();}

?>

Now, for the exploit. It requires some parameters.

  1. Root path url of the vulnerable application, required.
  2. Path of the php script to process upload, required.
  3. Path of where the uploaded files saved, required.
  4. A choice whether to use os shell command or php eval, default is os-shell, you can pick one

How it works, simple :

  1. It uploads file to directory upload path. What you have to know, the response of the upload process,either failed or success, and also other response messages.
  2. If success, it access the file.

You can download the exploit here

See images below :

http-upload-1

http-upload-2

Advertisements