lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: 2 Nov 2006 06:30:54 -0000
From: securfrog@...il.com
To: bugtraq@...urityfocus.com
Subject: how to trick most of cms avatar upload filter [exemple for :
 RunCms (PoC)]

/*==========================================*/
//how to trick cms avatar upload 
//exemple for : RunCms (PoC)
//Bug : avatar/php-shell upload 
//Product: RunCms
//URL: http://www.runcms.org/
//RISK: hight
/*==========================================*/

you can upload a crafted picture on most of cms .
there's actually one protection agains that:
it's to reconvert the picture name uploaded ( see = http://us3.php.net/manual/en/features.file-upload.php )
so the picture called picture.jpg will be renamed has 12d32f2jk25r543jk2ljn543.jpg 

now on a webserver , a script is called & executed with the extension , so if you rename & upload a crafted picture , like this :
http://site.com/script.php.jpg 
you will get the php code in the picture executed .(if there's some php code in the crafted picture)
the reverse ( http://site.jpg.php ) will never work ,  it's usually because the avatar upload filter look for the last extension.

so now we need to trick the upload filter , if you do a simple php script named "script.php" ,it will never work , 
our goal is to trick the avatar filter , so we need a reel picture .
then you need to take a good file editor , like: notepad++ 
(you can take whatever picture , and edit it without destroying it .)
we need to put some php code AFTER the picture code . 
when  it's done , try the picture if it still work , if yes , we are ok :).
here's an exemple of a crafted picture :
http://s-a-p.ca/release/sp.php.zip
just upload the picture has your avatar , for Runcms and do a right click ===> property , on your avatar , look at the link ,
and call it with firefox , opera , safary , etc , once this is done you have a php backdoor uploaded in . 
usually in: http://site.com/[runcms_path]/images/avatar/sp.php.jpg
 

ps:this doesn't work with IE .

regards , securfrog@...il.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ