31 lines
No EOL
1.4 KiB
Text
31 lines
No EOL
1.4 KiB
Text
Title: File Thingie v2.5.5 File Security Bypass
|
|
Author: Jeremiah Talamantes (RedTeam Security)
|
|
Website: http://www.redteamsecure.com/labs
|
|
Date: 5/15/2010
|
|
|
|
Application: File Thingie
|
|
Version: 2.5.5
|
|
Link: http://www.solitude.dk/filethingie/download
|
|
|
|
Description:
|
|
There are security controls in place that attempt to prevent
|
|
users from uploading PHP files and also renaming them to PHP extensions. However
|
|
advanced security controls do not exist that would prevent a user from uploading
|
|
a text file containing PHP code. An attacker can exploit a weakness in the file
|
|
rename process allowing the attacker to rename a text file (containing code) to a
|
|
.php extension and execute the script.
|
|
|
|
This exploit demonstrates a way to backdoor File Thingie by uploading an *.inc file
|
|
that contains a backdoored copy of File Thingie, then uploading a *.txt file
|
|
containing some PHP code that will overwrite ft2.php to execute the backdoored
|
|
copy of File Thingie. But first the *.txt file has to be renamed to a *.php
|
|
and then executed in the browser.
|
|
|
|
Test Environment:
|
|
* Tested on WAMP Server 2.0
|
|
* WAMP running on Windows XP, SP2 (EN)
|
|
|
|
====================================================================
|
|
Download the following file for more instructions and exploits:
|
|
Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/12617.zip (file_thingie_v255_Jeremiah.zip)
|
|
==================================================================== |