MiniFileHost - Bypass Upload

Publicado por Xonk on 10 de agosto de 2009
Etiquetas:
MiniFileHost v1.5
HomePage : http://www.galaxyscripts.com/
Vulnerbilidad : Bypass Upload

Sec-Test : Xonk - xonkcryp [at] gmail [dot] com

Bypass Upload

Descripcion :
- Permite subir al servidor cualquier tipo de archivo modificando los Headers HTTP (modificando el tipo del archivo como el de una image , ej : image/jpeg), con lo que se podria obtener un control total de los archivos del servidor .

<?php

// Archivo : basic.php
// Linea : 25

if (($HTTP_POST_FILES['userfile']['type']=="image/gif") || ($HTTP_POST_FILES['userfile']['type']=="image/pjpeg") || ($HTTP_POST_FILES['userfile']['type']=="image/jpeg") || ($HTTP_POST_FILES['userfile']['type']=="image/bmp") || ($HTTP_POST_FILES['userfile']['type']=="image/png")) {
....
}
?>


Patch :
<?php

// Patch Bypass Upload by Xonk
// Archivo : basic.php
// Modificar a partir de la linea 25 :
// if (($HTTP_POST_FILES['userfile']['type']=="image/gif") ....
// Hasta antes de la linea 39 :
// if (!$res) { echo "<font color="#333333" face="Geneva, Arial, Helvetica, sans-serif"> .... }


if (!isset($HTTP_POST_FILES['userfile'])) exit;

if (is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {

if ($HTTP_POST_FILES['userfile']['size']>$max_size) {
echo "<font color="#333333" face="Geneva, Arial, Helvetica, sans-serif">File Size too Big!</font><br>n"; exit; }
if (($HTTP_POST_FILES['userfile']['type']=="image/gif") || ($HTTP_POST_FILES['userfile']['type']=="image/pjpeg") || ($HTTP_POST_FILES['userfile']['type']=="image/jpeg") || ($HTTP_POST_FILES['userfile']['type']=="image/bmp") || ($HTTP_POST_FILES['userfile']['type']=="image/png")) {

// ------- PATCH ----------
$ext = strtolower(substr($_FILES['userfile']['name'], strrpos($_FILES['userfile']['name'], '.')));
$supportedextentions = array('.jpg','.jpeg','.png','.gif','.bmp');
$upload = true;
if(!in_array($ext, $supportedextentions)) {
$upload = false;
}

if (file_exists("./".$path . $HTTP_POST_FILES['userfile']['name'])) {
echo "<font color="#333333" face="Geneva, Arial, Helvetica, sans-serif">A File with that name exists, please rename your file.</font><br>n"; exit; }

if($upload) {
$zufall = rand(123,999999);
$fupl = "$zufall";
$imgtext = $zufall .$HTTP_POST_FILES['userfile']['name'];
$userip = $_SERVER['REMOTE_ADDR'];
$time = time();

$res = move_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'], "./".$path .$fupl .$HTTP_POST_FILES['userfile']['name']);
}
// ------- END PATCH ----------

if (!$res) { echo "<font color="#333333" face="Geneva, Arial, Helvetica, sans-serif">Upload Failed, please try again</font><br>n"; exit; } else {
$filelist = fopen("./imgfiles/".$imgtext.".txt","w");
fwrite($filelist, "images/" ."|".$imgtext."|". $zufall ."|". $userip ."|". $time."|n");
?>

0 comentarios:

Publicar un comentario