exploit the possibilities

Phpbuddies Shell Upload

Phpbuddies Shell Upload
Posted Mar 19, 2011
Authored by Xr0b0t

Phpbuddies suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell
MD5 | c7ddd7d4838d393b8c86cd43c739c8f0

Phpbuddies Shell Upload

Change Mirror Download
 [!]===========================================================================[!]

[~] Phpbuddies 0day Arbitrary Upload File Vulnerability
[~] Author : Xr0b0t (xrt.interpol@gmx.us)
[~] Homepage : www.indonesiancoder.com | xrobot.mobi | mc-crew.net | exploit-id.com
[~] Date : 18 Mart, 2010
[~] Tested on : BlackBuntu RC2

[!]===========================================================================[!]

[ Software Information ]

[+] Vendor : http://phpbuddies.com
[+] Download : http://phpbuddies.com/index.php?module=downloadcenter&action=download_home
[+] Price : LICENSI REQUEST
[+] Vulnerability : Upload File
[+] Dork : "Nothing Preson Laa!!" ;)
[+] Version : Not Find The Version

[!]===========================================================================[!]

Vulnerable Javascript Source Code:
elseif(RequestForm('new_photo')!='')
{
$image = RequestForm('image');
$myphoto = RequestFile('myphoto');

if($myphoto['name'] && !$myphoto['error'])
{
$ext = implode("|",explode(",",$this->Settings->img_ext));
$myupload = new UPLOAD();
$upload_dir = RS_SYSTEM_PATH."systemupload/profile";
$picture = $myupload->upload_file($upload_dir,'myphoto',true,false,0,$ext);
if($picture == false){
$this->assignVal('err','Photo is not uploaded.');
$error = 1;
}
else
{
$phpThumb = new phpThumb();
$phpThumb->setSourceFilename(str_replace('\\','/',RS_SYSTEM_PATH."systemupload/profile/".$picture));
$phpThumb->setParameter('w',$this->Settings->thumb_img_width);
$phpThumb->setParameter('h',$this->Settings->thumb_img_height);
$output_filename = str_replace('\\','/',RS_SYSTEM_PATH."systemupload/profile/thumb_".$picture);
if ($phpThumb->GenerateThumbnail())
{
$phpThumb->RenderToFile($output_filename);
}

$mem_id = $this->Session->getValue('userid');
$sql=sprintf(SQL_UPDATE_PROFILE_PHOTO,$picture,$mem_id);
$this->Conn->Execute($sql);

if($image)
$this->delete->remove_profile_photo($image);
}
}
}>
------------------------------------------------------------------------

[ Default Site ]
http://127.0.0.1/phpbuddies/



[ XpL ]

[~] Step 1 : Find A CMS With Google Dork

[~] Step 2: Register In This Site

[~] Step 3: Click On Account Settings

[~] Step 4: Click On Upload Images

[~] Step 5: Click On File Will Be Uploaded ( Uploaded The File *.php or *.jgp)

[~] Step 6: And Click on Manage Photo

[~] Step 7: You Will See the file systemupload/profile/


[ Demo ]

Site : http://phpbuddies.com/

exploit : http://phpbuddies.com/index.php?module=profile&action=myaccount
"Upload The shell.php Manage Photo"

Result : http://phpbuddies.com/systemupload/profile/foot.phpshell.php


with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked

Goo The IndonesianCoder!!!
[!]===========================================================================[!]

[ Thx TO ]

[+] Hai Kumis Lele HAhaha Ab ah Benu Turune Ngiler !!
[+] INDONESIAN CODER TEAM IndonesianHacker Malang CYber CREW Magelang Cyber
[+] tukulesto,M3NW5,arianom,N4CK0,abah_benu,d0ntcry,bobyhikaru,gonzhack,senot
[+] Contrex,YadoY666,yasea,bugs,Ronz,Pathloader,cimpli,MarahMerah.IBL13Z,r3m1ck
[+] Coracore,Gh4mb4s,Jack-,VycOd,m0rgue,otong,CS-31,Yur4kha,Geni212


[ NOTE ]

[+] OJOK JOTOS2an YO ..
[+] Minggir semua Arumbia Team Mau LEwat ;)
[+] MBEM : lup u :">

[ QUOTE ]

[+] INDONESIANCODER still r0x...
[+] ARUmBIA TEam Was Here Cuy MINGIR Kabeh KAte lewat ..
[+] Malang Cyber Crew & Magelang Cyber Community


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    2 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    16 Files
  • 13
    Feb 13th
    19 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    20 Files
  • 20
    Feb 20th
    33 Files
  • 21
    Feb 21st
    11 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close