<<< Date Index >>>     <<< Thread Index >>>

Re: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)]



This is an issue reported months ago already with mixed results from vendors. Only way to get them to patch are to issue exploits like this unfortunately.

Paul Laudanski, Microsoft MVP Windows-Security
Phish XML Feed: http://www.castlecops.com/article6619.html
Phish Takedown: http://castlecops.com/pirt
LinkedIn: http://www.linkedin.com/pub/1/49a/17b
www.CastleCops.com | de.CastleCops.com | wiki.CastleCops.com

----- Original Message ----- From: <securfrog@xxxxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Sent: Thursday, November 02, 2006 1:30 AM
Subject: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)]


/*==========================================*/
//how to trick cms avatar upload
//exemple for : RunCms (PoC)
//Bug : avatar/php-shell upload
//Product: RunCms
//URL: http://www.runcms.org/
//RISK: hight
/*==========================================*/

you can upload a crafted picture on most of cms .
there's actually one protection agains that:
it's to reconvert the picture name uploaded ( see = http://us3.php.net/manual/en/features.file-upload.php ) so the picture called picture.jpg will be renamed has 12d32f2jk25r543jk2ljn543.jpg

now on a webserver , a script is called & executed with the extension , so if you rename & upload a crafted picture , like this :
http://site.com/script.php.jpg
you will get the php code in the picture executed .(if there's some php code in the crafted picture) the reverse ( http://site.jpg.php ) will never work , it's usually because the avatar upload filter look for the last extension.

so now we need to trick the upload filter , if you do a simple php script named "script.php" ,it will never work ,
our goal is to trick the avatar filter , so we need a reel picture .
then you need to take a good file editor , like: notepad++
(you can take whatever picture , and edit it without destroying it .)
we need to put some php code AFTER the picture code .
when it's done , try the picture if it still work , if yes , we are ok :).
here's an exemple of a crafted picture :
http://s-a-p.ca/release/sp.php.zip
just upload the picture has your avatar , for Runcms and do a right click ===> property , on your avatar , look at the link , and call it with firefox , opera , safary , etc , once this is done you have a php backdoor uploaded in .
usually in: http://site.com/[runcms_path]/images/avatar/sp.php.jpg


ps:this doesn't work with IE .

regards , securfrog@xxxxxxxxx