exploit the possibilities

IDIC Blogs Shell Upload

IDIC Blogs Shell Upload
Posted Nov 12, 2012
Authored by cr4wl3r

IDIC Blogs suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell
MD5 | 1929d3ec65062fe1ccaae66fc45aee11

IDIC Blogs Shell Upload

Change Mirror Download
                            \#'#/
(-.-)
--------------------oOO---(_)---OOo----------------------
| IDIC Blogs Arbitrary File Upload Vulnerability |
---------------------------------------------------------
[!] Discovered: cr4wl3r <cr4wl3r[!]linuxmail.org>
[!] Site: http://0xuht.org
[!] Download: http://sourceforge.net/projects/idicblogs/files/
[!] Version: -
[!] Date: 12.11.2012
[!] Remote: yes
[!] Tested: Ubuntu
[!] Reference: http://0xuht.org/Exploit/idic-blog.txt

[!] Details:
By issuing a POST request with a webshell
embedded in a JPEG or PJPEG image it is possible to upload


[!] Vulnerability Code [picture_upload.php] :

<?
} elseif (isset($_POST['subpage']) && $_POST['subpage'] == 'upload') {

$idir="./members_orgimage/";
$string = md5(rand(0,9999));
$harland = substr($string, 17, 5);

$url = $_FILES['imagefile']['name']; /* Set $url To Equal The Filename For Later Use */
if ($_FILES['imagefile']['type'] == "image/jpg" || $_FILES['imagefile']['type'] == "image/jpeg" || $_FILES['imagefile']['type'] == "image/pjpeg") {

// $file_ext = strrchr($_FILES['imagefile']['name'], '.');
// $file_ext = strrchr($_FILES['imagefile']['name'], ".");
$file_ext = strtolower(substr(strrchr($_FILES['imagefile']['name'], "."), 1));

/* Get The File Extention In The Format Of , For Instance, .jpg, .gif or .php */
$copy = copy($_FILES['imagefile']['tmp_name'], "$idir" . $_FILES['imagefile']['name']);
/* Move Image From Temporary Location To Permanent Location */
if ($copy) {
$newimage = "$harland-$url";

cropImage("50", "50", "./members_orgimage/$url", "jpg", "./members_thumbs/$newimage");

$query = mysql_query("UPDATE blogssmembers SET picname='$newimage' WHERE username='$ses_bloguser'") or die (mysql_error());
$result = mysql_query($query);

$es = 'Image uploaded successfully.<br />';
}else{
$es = 'ERROR: Unable to upload image<br />';
}
} else {
$es = 'ERROR: Wrong filetype (has to be a .jpg or .jpeg.)<br />';
}
}
if($es){
?>


[!] PoC (Piye om Carane):

[IDIC_Blogs]/picture_upload.php

[!] Shell:

[IDIC_Blogs]//members_orgimage/shell.php.pjpeg

[!] Demo:

http://0xuht.org/demo/idic-blog1.png
http://0xuht.org/demo/idic-blog2.png

[!] Thanks: packetstormsecurity

// Gorontalo [2012-11-12]

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    22 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    2 Files
  • 23
    Jun 23rd
    1 Files
  • 24
    Jun 24th
    23 Files
  • 25
    Jun 25th
    19 Files
  • 26
    Jun 26th
    7 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close