|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 111
Members: 0
Total: 111
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
What can I do with this? |
|
Posted: Sun Jul 20, 2008 12:30 am |
|
|
pZourk |
Regular user |
|
|
Joined: Jun 30, 2008 |
Posts: 8 |
|
|
|
|
|
|
|
A site has a file upload cgi script. I am able to upload anything to http://www.example.com/dropbox/files/ (I know of no way to specify the output folder) but also delete any file from example.com and all subfolders (It is on shared hosting, so I can go no higher than the public_html). I have tried uploading php files, but when I try to run them, I get a 500 server error.
I know I could just cause havok, but I am most interested in getting passwords from their phpbb 2.0.20 forum at http://www.example.com/forum/
Any suggestion of how I can accomplish this?
Thanks. |
|
|
|
|
Posted: Sun Jul 20, 2008 12:47 am |
|
|
gibbocool |
Advanced user |
|
|
Joined: Jan 22, 2008 |
Posts: 208 |
|
|
|
|
|
|
|
So any php file you upload gives 500 error?
Do other php files already on the server work?
Maybe the default permissions don't allow you to run the files.
Otherwise try and make a cgi script that will read the phpbb config file and output it. |
|
|
|
|
Posted: Sun Jul 20, 2008 12:53 am |
|
|
pZourk |
Regular user |
|
|
Joined: Jun 30, 2008 |
Posts: 8 |
|
|
|
|
|
|
|
The only working php files on the site are not in the upload folder. The only ones ever in there are ones I hav tried uploading. I had not thought of using cgi. I will try that.
UPDATE:
I tried cgi and recieved the same error I get with php files. (500 Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request.)
I have also determined that the upload cgi being used is the same as described here. |
|
|
|
|
|
|
|
|
Posted: Sun Jul 20, 2008 1:28 am |
|
|
mge |
Valuable expert |
|
|
Joined: Jul 16, 2008 |
Posts: 142 |
|
|
|
|
|
|
|
uploading and executing .cgi scripts most likely won't work because they won't have the right permission to be executed by the webserver (chmod 755).
come to think of it, what you COULD do is look for a .cgi file that has 777 and try to overwrite it. don't delete it or the 777 permission will be lost. however, as it replaces the old file i would be careful with that option of course.
is it possible to upload outside of the upload folder? i suspect the webmaster has disabled php execution there. |
|
|
|
|
Posted: Sun Jul 20, 2008 2:00 am |
|
|
pZourk |
Regular user |
|
|
Joined: Jun 30, 2008 |
Posts: 8 |
|
|
|
|
|
|
|
mge wrote: | is it possible to upload outside of the upload folder? i suspect the webmaster has disabled php execution there. | That's exactly my problem. I cannot.
If I was able to, I would have those passwords a long time ago. |
|
|
|
|
|
|
|
|
Posted: Sun Jul 20, 2008 3:13 am |
|
|
mge |
Valuable expert |
|
|
Joined: Jul 16, 2008 |
Posts: 142 |
|
|
|
|
|
|
|
i have an idea for the following case:
1) the file name in itself stays the same when uploading (e.g. you are uploading "sample.php" from your local disk and it keeps the name)
2) the upload script doesn't replace or remove dots (.) and slashes (/) in the file name
3) the directory above (or one of them) is writable for the web server
if all of the above match you could try forging a POST request. in submitting the form you post not only the content but also the file name (how else would it know which name to keep?)
so if you just add a "../" in front of it - or maybe use an absolute path altogether, it might work.
i just tested it with a simple upload CGI on my local server.
edit: if it's really that perlscriptsjavascripts.com script they are using, it won't work.
Code: | # get the file name, this removes everything up to and including the
# last slash found ( be it a forward or back slash )
$fileName =~ s/^.*(\\|\/)//; |
i don't have any other idea for now, sorry would have been a stretch anyway to find a world-writable directory with permission to execute php |
|
|
|
|
|
|
|
|
Posted: Mon Jul 21, 2008 11:37 am |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
Try to upload .htaccess with this inside
AddType application/x-httpd-php .html
Then put in some .txt file php code and rename to .html and upload on server. |
|
|
|
|
Posted: Mon Jul 21, 2008 3:07 pm |
|
|
lenny |
Valuable expert |
|
|
Joined: May 15, 2008 |
Posts: 275 |
|
|
|
|
|
|
|
Couldn't you write yourself a CGI script and hope that CGI is not locked to the cgi-bin? |
|
Last edited by lenny on Wed Jul 23, 2008 12:39 pm; edited 1 time in total |
|
|
|
Posted: Mon Jul 21, 2008 5:13 pm |
|
|
mge |
Valuable expert |
|
|
Joined: Jul 16, 2008 |
Posts: 142 |
|
|
|
|
|
|
|
@lenny:
pZourk wrote: | UPDATE:
I tried cgi and recieved the same error I get with php files. (500 Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request.) |
|
|
|
|
|
Posted: Mon Jul 21, 2008 7:19 pm |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
mge wrote: | @lenny:
pZourk wrote: | UPDATE:
I tried cgi and recieved the same error I get with php files. (500 Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request.) |
|
|
|
|
|
|
Posted: Tue Jul 22, 2008 3:59 am |
|
|
pZourk |
Regular user |
|
|
Joined: Jun 30, 2008 |
Posts: 8 |
|
|
|
|
|
|
|
.htaccess is renamed to 1.htaccess
Thank you for the help though. |
|
|
|
|
Posted: Wed Jul 23, 2008 12:02 pm |
|
|
lenny |
Valuable expert |
|
|
Joined: May 15, 2008 |
Posts: 275 |
|
|
|
|
|
|
|
Sorry, i hadnt noticed
Anyway, did you manage to pull off any exploit... or are you calling it quits? |
|
|
|
|
Posted: Thu Jul 24, 2008 11:11 pm |
|
|
pZourk |
Regular user |
|
|
Joined: Jun 30, 2008 |
Posts: 8 |
|
|
|
|
|
|
|
I think I will call it quits on this one. The best I have gotten there is access to a user that can only see some 'secret' subforums, which is how I found out about the file uploader. Once again thanks. |
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|