Re: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)]

Subject: Re: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)]
Date: Fri, 3 Nov 2006 18:45:23 -0500
From: "Paul Laudanski" <suppressed>

This is an issue reported months ago already with mixed results fromvendors. Only way to get them to patch are to issue exploits like thisunfortunately.


Paul Laudanski, Microsoft MVP Windows-Security
Phish XML Feed: http://www.castlecops.com/article6619.html
Phish Takedown: http://castlecops.com/pirt
LinkedIn: http://www.linkedin.com/pub/1/49a/17b
www.CastleCops.com | de.CastleCops.com | wiki.CastleCops.com

----- Original Message -----From: <suppressed>

To: <suppressed>
Sent: Thursday, November 02, 2006 1:30 AM

Subject: how to trick most of cms avatar upload filter [exemple for : RunCms(PoC)]

/*==========================================*/
//how to trick cms avatar upload
//exemple for : RunCms (PoC)
//Bug : avatar/php-shell upload
//Product: RunCms
//URL: http://www.runcms.org/
//RISK: hight
/*==========================================*/

you can upload a crafted picture on most of cms .
there's actually one protection agains that:
it's to reconvert the picture name uploaded ( see =http://us3.php.net/manual/en/features.file-upload.php )so the picture called picture.jpg will be renamed has12d32f2jk25r543jk2ljn543.jpg
now on a webserver , a script is called & executed with the extension , soif you rename & upload a crafted picture , like this :
http://site.com/script.php.jpg
you will get the php code in the picture executed .(if there's some phpcode in the crafted picture)the reverse ( http://site.jpg.php ) will never work , it's usuallybecause the avatar upload filter look for the last extension.
so now we need to trick the upload filter , if you do a simple php scriptnamed "script.php" ,it will never work ,
our goal is to trick the avatar filter , so we need a reel picture .
then you need to take a good file editor , like: notepad++
(you can take whatever picture , and edit it without destroying it .)
we need to put some php code AFTER the picture code .
when it's done , try the picture if it still work , if yes , we are ok:).
here's an exemple of a crafted picture :
http://s-a-p.ca/release/sp.php.zip
just upload the picture has your avatar , for Runcms and do a right click===> property , on your avatar , look at the link ,and call it with firefox , opera , safary , etc , once this is done youhave a php backdoor uploaded in .
usually in: http://site.com/[runcms_path]/images/avatar/sp.php.jpg


ps:this doesn't work with IE .

regards , suppressed

References:
- how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)]
  - From: securfrog

Prev by Date: MajorSecurity Advisory #31]Xenis.creator CMS - Multiple Cross Site Scripting and SQL Injection Issues
Next by Date: [OpenPKG-SA-2006.028] OpenPKG Security Advisory (php)
Previous by thread: RE: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)]
Next by thread: Advisory 12/2006: phpMyAdmin - error.php XSS Vulnerability
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.