|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Possible Rfi? Shed Some light Please! |
|
Posted: Thu Oct 09, 2008 4:25 pm |
|
|
Cablekid |
Advanced user |
|
|
Joined: Jul 14, 2007 |
Posts: 85 |
|
|
|
|
|
|
|
Help me out.
Alright, i have a website that lets you upload image files.
I found out if you do http://site.com/insert_image.php?dir=..%2F..
It shows you the directory and it also lets you upload an image to that directory.
So my question is, is their any other way to maybe use a shell? I was thinking about uploading a shell but in the config.php it defines only jpgs and gifs
Code: | require('config.inc.php');
error_reporting(0);
// get the identifier of the editor
$wysiwyg = $_GET['wysiwyg'];
// set image dir
$leadon = $rootdir.$imagebasedir;
if($leadon=='.') $leadon = '';
if((substr($leadon, -1, 1)!='/') && $leadon!='') $leadon = $leadon . '/';
$startdir = $leadon;
// validate the directory
$_GET['dir'] = $_POST['dir'] ? $_POST['dir'] : $_GET['dir'];
if($_GET['dir']) {
if(substr($_GET['dir'], -1, 1)!='/') {
$_GET['dir'] = $_GET['dir'] . '/';
}
$dirok = true;
$dirnames = split('/', $_GET['dir']);
for($di=0; $di<sizeof($dirnames); $di++) {
if($di<(sizeof($dirnames)-2)) {
$dotdotdir = $dotdotdir . $dirnames[$di] . '/';
}
}
if(substr($_GET['dir'], 0, 1)=='/') {
$dirok = false;
}
if($_GET['dir'] == $leadon) {
$dirok = false;
}
if($dirok) {
$leadon = $_GET['dir'];
}
}
// upload file
if($allowuploads && $_FILES['file']) {
$upload = true;
if(!$overwrite) {
if(file_exists($leadon.$_FILES['file']['name'])) {
$upload = false;
}
}
$ext = strtolower(substr($_FILES['file']['name'], strrpos($_FILES['file']['name'], '.')+1));
if(!in_array($ext, $supportedextentions)) {
$upload = false;
}
if($upload) {
move_uploaded_file($_FILES['file']['tmp_name'], $leadon . $_FILES['file']['name']);
}
}
if($allowuploads) {
$phpallowuploads = (bool) ini_get('file_uploads');
$phpmaxsize = ini_get('upload_max_filesize');
$phpmaxsize = trim($phpmaxsize);
$last = strtolower($phpmaxsize{strlen($phpmaxsize)-1});
switch($last) {
case 'g':
$phpmaxsize *= 1024;
case 'm':
$phpmaxsize *= 1024;
}
}
?>
| [/u] |
|
|
|
|
|
|
|
|
Posted: Thu Oct 09, 2008 4:37 pm |
|
|
lenny |
Valuable expert |
|
|
Joined: May 15, 2008 |
Posts: 275 |
|
|
|
|
|
|
|
Do you have the entire source code? You could try to upload a php file with the image/jpeg content type - that method has worked for me several times, only problem being if the code checks file extensions from the uploaded files... |
|
|
|
|
|
|
|
|
Posted: Thu Oct 09, 2008 4:46 pm |
|
|
Cablekid |
Advanced user |
|
|
Joined: Jul 14, 2007 |
Posts: 85 |
|
|
|
|
|
|
|
How dose 1 do that?
Here is the entire source.
Config.inc.php
Code: | <?php
*
* Path to a directory which holds the images.
*/
$imagebasedir = '../../uploads';
/*
* An absolute or relative URL to the image folder.
* This url is used to generate the source of the image.
*/
$imagebaseurl = 'uploads';
/*
* Allow your users to browse the subdir of the defined basedir.
*/
$browsedirs = true;
/*
* If enabled users will be able to upload
* files to any viewable directory. You should really only enable
* this if the area this script is in is already password protected.
*/
$allowuploads = true;
/*
* If a user uploads a file with the same
* name as an existing file do you want the existing file
* to be overwritten?
*/
$overwrite = false;
/*
* Define the extentions you want to show within the
* directory listing. The extensions also limit the
* files the user can upload to your image folders.
*/
$supportedextentions = array(
'gif',
'png',
'jpeg',
'jpg',
'bmp'
);
/*
* If you want to add your own special file icons use
* this section below. Each entry relates to the extension of the
* given file, in the form <extension> => <filename>.
* These files must be located within the dlf directory.
*/
$filetypes = array (
'png' => 'jpg.gif',
'jpeg' => 'jpg.gif',
'bmp' => 'jpg.gif',
'jpg' => 'jpg.gif',
'gif' => 'gif.gif',
'psd' => 'psd.gif',
);
?>
|
insert_image.php
Code: | <?php
require('config.inc.php');
error_reporting(0);
// get the identifier of the editor
$wysiwyg = $_GET['wysiwyg'];
// set image dir
$leadon = $rootdir.$imagebasedir;
if($leadon=='.') $leadon = '';
if((substr($leadon, -1, 1)!='/') && $leadon!='') $leadon = $leadon . '/';
$startdir = $leadon;
// validate the directory
$_GET['dir'] = $_POST['dir'] ? $_POST['dir'] : $_GET['dir'];
if($_GET['dir']) {
if(substr($_GET['dir'], -1, 1)!='/') {
$_GET['dir'] = $_GET['dir'] . '/';
}
$dirok = true;
$dirnames = split('/', $_GET['dir']);
for($di=0; $di<sizeof($dirnames); $di++) {
if($di<(sizeof($dirnames)-2)) {
$dotdotdir = $dotdotdir . $dirnames[$di] . '/';
}
}
if(substr($_GET['dir'], 0, 1)=='/') {
$dirok = false;
}
if($_GET['dir'] == $leadon) {
$dirok = false;
}
if($dirok) {
$leadon = $_GET['dir'];
}
}
// upload file
if($allowuploads && $_FILES['file']) {
$upload = true;
if(!$overwrite) {
if(file_exists($leadon.$_FILES['file']['name'])) {
$upload = false;
}
}
$ext = strtolower(substr($_FILES['file']['name'], strrpos($_FILES['file']['name'], '.')+1));
if(!in_array($ext, $supportedextentions)) {
$upload = false;
}
if($upload) {
move_uploaded_file($_FILES['file']['tmp_name'], $leadon . $_FILES['file']['name']);
}
}
if($allowuploads) {
$phpallowuploads = (bool) ini_get('file_uploads');
$phpmaxsize = ini_get('upload_max_filesize');
$phpmaxsize = trim($phpmaxsize);
$last = strtolower($phpmaxsize{strlen($phpmaxsize)-1});
switch($last) {
case 'g':
$phpmaxsize *= 1024;
case 'm':
$phpmaxsize *= 1024;
}
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
</head>
<table width="200" border="0" cellpadding="0" cellspacing="0" style="background-color: #F7F7F7; border: 2px solid #FFFFFF; padding: 5px;">
<tr>
<td style="width: 115px;padding-bottom: 2px; padding-top: 0px; font-family: arial, verdana, helvetica; font-size: 11px;" width="100">Alignment:</td>
<td style="width: 85px;padding-bottom: 2px; padding-top: 0px;">
<select name="align" id="align" style="font-family: arial, verdana, helvetica; font-size: 11px; width: 100%;">
<option value="">Not Set</option>
<option value="left">Left</option>
<option value="right">Right</option>
<option value="texttop">Texttop</option>
<option value="absmiddle">Absmiddle</option>
<option value="baseline">Baseline</option>
<option value="absbottom">Absbottom</option>
<option value="bottom">Bottom</option>
<option value="middle">Middle</option>
<option value="top">Top</option>
</select>
</td>
</tr>
<tr>
<td style="padding-bottom: 2px; padding-top: 0px; font-family: arial, verdana, helvetica; font-size: 11px;">Horizontal Space:</td>
<td style="padding-bottom: 2px; padding-top: 0px;"><input type="text" name="hspace" id="hspace" value="" style="font-size: 10px; width: 100%;"></td>
</tr>
<tr>
<td style="padding-bottom: 2px; padding-top: 0px; font-family: arial, verdana, helvetica; font-size: 11px;">Vertical Space:</td>
<td style="padding-bottom: 2px; padding-top: 0px;"><input type="text" name="vspace" id="vspace" value="" style="font-size: 10px; width: 100%;"></td>
</tr>
</table>
</td>
</tr>
</table>
</td>
<td style="vertical-align: top;width: 150px; padding-left: 5px;">
<span style="font-family: arial, verdana, helvetica; font-size: 11px; font-weight: bold;">Select Image:</span>
<iframe id="chooser" frameborder="0" style="height:165px;width: 180px;border: 2px solid #FFFFFF; padding: 5px;" src="select_image.php?dir=<?php echo $leadon; ?>"></iframe>
</td>
</tr>
<tr>
<td colspan="2" align="right" style="padding-top: 5px;">
<input type="submit" value=" Submit " onclick="insertImage();return false;" style="font-size: 12px;">
<?php if ( $allowuploads ) { ?>
<input type="submit" value=" Upload " style="font-size: 12px;">
<?php } ?>
<input type="button" value=" Cancel " onclick="window.close();" style="font-size: 12px;">
</td>
</tr>
</form>
</table>
</body>
</html> |
|
|
|
|
|
|
|
|
|
Posted: Thu Oct 09, 2008 6:08 pm |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
|
|
|
|
Posted: Thu Oct 09, 2008 6:49 pm |
|
|
Cablekid |
Advanced user |
|
|
Joined: Jul 14, 2007 |
Posts: 85 |
|
|
|
|
|
|
|
YES U ROCK I DID MY VERY FIRST EXPLOIT! AWSOME! MY OWN!
SWEET! |
|
|
|
|
Posted: Thu Oct 09, 2008 7:32 pm |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
|
|
|
|
Posted: Thu Oct 09, 2008 8:25 pm |
|
|
Cablekid |
Advanced user |
|
|
Joined: Jul 14, 2007 |
Posts: 85 |
|
|
|
|
|
|
|
How dose one go about submitting this to milw0rm.
do you send an email. |
|
|
|
|
Posted: Fri Oct 10, 2008 6:34 am |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
before you submit something on milw0rm you need to investigate why this hole working here but not working there.Google help's you. |
|
|
|
|
Posted: Fri Oct 10, 2008 5:13 pm |
|
|
Cablekid |
Advanced user |
|
|
Joined: Jul 14, 2007 |
Posts: 85 |
|
|
|
|
|
|
|
Alright,
Question for ya..
When i upload the shell on some sites, it says
Code: | Forbidden
You don't have permission to access /graph/tmp/home1.php.jpg on this server. |
When i go to it, Is that because the server doesn't chmod it to be readable.
If so any other way you can upload shells? |
|
|
|
|
Posted: Fri Oct 10, 2008 5:18 pm |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
Cablekid wrote: | Alright,
Question for ya..
When i upload the shell on some sites, it says
Code: | Forbidden
You don't have permission to access /graph/tmp/home1.php.jpg on this server. |
When i go to it, Is that because the server doesn't chmod it to be readable.
If so any other way you can upload shells? |
Yep.This depend of server settings.If you try like this
/graph/tmp/home1.php |
|
|
|
|
Posted: Fri Oct 10, 2008 6:42 pm |
|
|
Cablekid |
Advanced user |
|
|
Joined: Jul 14, 2007 |
Posts: 85 |
|
|
|
|
|
|
|
Ya i tried like this
/graph/tmp/home1.php
and like this /graph/tmp/home1.php.jpg
same thing, so its not possible to upload php to this site? |
|
|
|
|
Posted: Fri Oct 10, 2008 9:08 pm |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
Try to upload .htaccess with
AddType application/x-httpd-php .php
try .htaccess%00 |
|
|
|
|
Posted: Fri Oct 10, 2008 10:51 pm |
|
|
Cablekid |
Advanced user |
|
|
Joined: Jul 14, 2007 |
Posts: 85 |
|
|
|
|
|
|
|
Smart idea, i tried it still didn't work. |
|
|
|
|
www.waraxe.us Forum Index -> Remote file inclusion
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|