Bugtraq mailing list archives
Re: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)]
From: "Paul Laudanski" <paul () castlecops com>
Date: Fri, 3 Nov 2006 18:45:23 -0500
This is an issue reported months ago already with mixed results from vendors. Only way to get them to patch are to issue exploits like this unfortunately.
Paul Laudanski, Microsoft MVP Windows-Security Phish XML Feed: http://www.castlecops.com/article6619.html Phish Takedown: http://castlecops.com/pirt LinkedIn: http://www.linkedin.com/pub/1/49a/17b www.CastleCops.com | de.CastleCops.com | wiki.CastleCops.com----- Original Message ----- From: <securfrog () gmail com>
To: <bugtraq () securityfocus com> Sent: Thursday, November 02, 2006 1:30 AMSubject: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)]
/*==========================================*/ //how to trick cms avatar upload //exemple for : RunCms (PoC) //Bug : avatar/php-shell upload //Product: RunCms //URL: http://www.runcms.org/ //RISK: hight /*==========================================*/ you can upload a crafted picture on most of cms . there's actually one protection agains that:it's to reconvert the picture name uploaded ( see = http://us3.php.net/manual/en/features.file-upload.php ) so the picture called picture.jpg will be renamed has 12d32f2jk25r543jk2ljn543.jpgnow on a webserver , a script is called & executed with the extension , so if you rename & upload a crafted picture , like this :http://site.com/script.php.jpgyou will get the php code in the picture executed .(if there's some php code in the crafted picture) the reverse ( http://site.jpg.php ) will never work , it's usually because the avatar upload filter look for the last extension.so now we need to trick the upload filter , if you do a simple php script named "script.php" ,it will never work ,our goal is to trick the avatar filter , so we need a reel picture . then you need to take a good file editor , like: notepad++ (you can take whatever picture , and edit it without destroying it .) we need to put some php code AFTER the picture code .when it's done , try the picture if it still work , if yes , we are ok :).here's an exemple of a crafted picture : http://s-a-p.ca/release/sp.php.zipjust upload the picture has your avatar , for Runcms and do a right click ===> property , on your avatar , look at the link , and call it with firefox , opera , safary , etc , once this is done you have a php backdoor uploaded in .usually in: http://site.com/[runcms_path]/images/avatar/sp.php.jpg ps:this doesn't work with IE . regards , securfrog () gmail com
Current thread:
- how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)] securfrog (Nov 02)
- Re: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)] Taneli Leppä (Nov 02)
- Re: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)] Taneli Leppä (Nov 02)
- RE: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)] Richard Stanway (Nov 02)
- Re: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)] Taneli Leppä (Nov 02)
- Re: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)] Paul Laudanski (Nov 04)
- Re: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)] Taneli Leppä (Nov 02)