Waraxe IT Security Portal

pZourk · Regular user

A site has a file upload cgi script. I am able to upload anything to http://www.example.com/dropbox/files/ (I know of no way to specify the output folder) but also delete any file from example.com and all subfolders (It is on shared hosting, so I can go no higher than the public_html). I have tried uploading php files, but when I try to run them, I get a 500 server error.
I know I could just cause havok, but I am most interested in getting passwords from their phpbb 2.0.20 forum at http://www.example.com/forum/
Any suggestion of how I can accomplish this?
Thanks.

gibbocool · Advanced user

So any php file you upload gives 500 error?
Do other php files already on the server work?
Maybe the default permissions don't allow you to run the files.

Otherwise try and make a cgi script that will read the phpbb config file and output it.

pZourk · Regular user

The only working php files on the site are not in the upload folder. The only ones ever in there are ones I hav tried uploading. I had not thought of using cgi. I will try that.

UPDATE:
I tried cgi and recieved the same error I get with php files. (500 Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request.)
I have also determined that the upload cgi being used is the same as described here.

mge · Valuable expert

uploading and executing .cgi scripts most likely won't work because they won't have the right permission to be executed by the webserver (chmod 755).

come to think of it, what you COULD do is look for a .cgi file that has 777 and try to overwrite it. don't delete it or the 777 permission will be lost. however, as it replaces the old file i would be careful with that option of course.

is it possible to upload outside of the upload folder? i suspect the webmaster has disabled php execution there.

pZourk · Regular user

mge · Valuable expert

i have an idea for the following case:

1) the file name in itself stays the same when uploading (e.g. you are uploading "sample.php" from your local disk and it keeps the name)
2) the upload script doesn't replace or remove dots (.) and slashes (/) in the file name
3) the directory above (or one of them) is writable for the web server

if all of the above match you could try forging a POST request. in submitting the form you post not only the content but also the file name (how else would it know which name to keep?)
so if you just add a "../" in front of it - or maybe use an absolute path altogether, it might work.

i just tested it with a simple upload CGI on my local server.

edit: if it's really that perlscriptsjavascripts.com script they are using, it won't work.

pexli · Valuable expert

Try to upload .htaccess with this inside
AddType application/x-httpd-php .html

Then put in some .txt file php code and rename to .html and upload on server.

lenny · Valuable expert

Couldn't you write yourself a CGI script and hope that CGI is not locked to the cgi-bin?

mge · Valuable expert

@lenny:

pexli · Valuable expert

pZourk · Regular user

.htaccess is renamed to 1.htaccess
Thank you for the help though.

lenny · Valuable expert

Sorry, i hadnt noticed Confused

Anyway, did you manage to pull off any exploit... or are you calling it quits?

pZourk · Regular user

I think I will call it quits on this one. The best I have gotten there is access to a user that can only see some 'secret' subforums, which is how I found out about the file uploader. Once again thanks.