NetLink Remote Arbitrary File Upload Vulnerability

vendor:

NetLink

by:

lumut--

8.8

CVSS

HIGH

Remote Arbitrary File Upload

434

CWE

Product Name: NetLink

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

NetLink Remote Arbitrary File Upload Vulnerability

NetLink is vulnerable to a remote arbitrary file upload vulnerability. An attacker can upload a malicious file to the server by exploiting the vulnerable upload.php script. The malicious file can be uploaded to the server by sending a POST request to the upload.php script. The malicious file can then be accessed by sending a GET request to the Users directory.

Mitigation:

The application should validate the file type and size before uploading it to the server. The application should also restrict the file types that can be uploaded to the server.

Source

Exploit-DB raw data:

======================================
NetLink Remote Arbitrary File Upload Vulnerability
Download: http://sourceforge.net/projects/kp-netlink/
by lumut--
Homepage: lumutcherenza.biz
======================================

[upload.php]

<?php
extract($_POST);
if ($submit)
{
  $file_name=$_FILES['filename']['name'];
    $file_type=$_FILES['filename']['type'];
    $file_tmp=$_FILES['filename']['tmp_name'];
    $file_size=$_FILES['filename']['size'];

    $user=$_SESSION['login'];
    echo "Upload Stats:<br/>";
    echo "<blockquote style='font-size:10pt;'>";
    echo "Filename: ".$file_name;
    echo "<br/>File Type: ".$file_type;
    echo "<br/>File Size: ".$file_size;

    #now that the stats have been declared & displayed, now we process and
upload the file
    $file_dest = "Users/$user/";
    $file_dest = $file_dest . $_FILES['filename']['name'];

    echo "<br/><br/>Copying $file_name....";
    echo "<br/>Moving copied file to $user's account...";
    echo "</blockquote>";
    if (move_uploaded_file($_FILES['filename']['tmp_name'], $file_dest))
          print "File '$file_name' was successfully uploaded to account
<b>$user</b>.<br/> ";
    else
    {
      print "Possible file upload attack!  Here's some debugging info:\n";
      print_r($_FILES);
    }
    touch("Users/$user/$file_name");
include("options.php");
echo "<hr color='#000000'/>";
}

?>


expl: http://[target]/[netlink_path]/upload.php
shell: http://[target]/[netlink_path]/Users/yourshell.php

======================================================================

thx to : cr4wl3r, Team_elitE, kisame, aNtI_hAcK, kazuya, PunkRock and
manadocoding team :D
======================================================================