Informations : °°°°°°°°°°°°°° Language : PHP Website : http://www.truelogik.net Version : 1.0 Problems : - Admin Access - File Copy PHP Code/Location : °°°°°°°°°°°°°°°°°°° verif_admin.php, check_admin.php : ------------------------------------------------------------------------ <? if(isset($connect)) { if($connect=="$passadmin") setcookie("loggedin","ok"); if($connect=="no") setcookie("loggedin"); Header("Location: ".$PHP_SELF); } $ok = ($loggedin!=""); if($ok) { echo "<center>"; echo "<table>"; echo "<tr><td align='center'><a href='?connect=no'>DECONNEXION</a></td></tr>"; echo "</table>"; echo "</center>"; } else { echo "<center><form method='post'>"; echo "<table>"; echo "<tr><td align='center'>CONNEXION</td></tr>"; echo "<tr><td align='center'>Password : admin</td></tr>"; echo "<tr><td><input type='password' name='connect'></td></tr>"; echo "<tr><td><input type='submit' value='Login'></td></tr>"; echo "</table>"; echo "</form></center>"; } ?> ------------------------------------------------------------------------ upload.php : ---------------------------------------------------------------------- [...] $userip = $REMOTE_ADDR; $pseudo = $_POST['pseudo']; $message = $_POST['message']; $email = $_POST['email']; [...] if((!$pseudo) || (!$message) || (!$file)) { [...] exit; } if(!ereg('^[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+'. '@'. '[-!#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+\.'. '[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$', $email)) { [...] exit(); } [...] if ($file_size >= $MAX_FILE_SIZE) { [...] exit(); } if($HTTP_POST_FILES['file']['type']=="image/pjpeg") { $ext="jpg"; } elseif($HTTP_POST_FILES['file']['type']=="image/gif") { $ext="gif"; } if($HTTP_POST_FILES['file']['type']=="image/pjpeg"|$HTTP_POST_FILES['file']['type']=="image/gif") { $date = time(); $query = "INSERT INTO $tablegalerie (cat_id,pseudo,email,url,message,date,clicks,img,userip) VALUES('$cat_id','$pseudo','$email','$url','$message','$date','','','$userip')"; mysql_query($query); $id=mysql_insert_id(); $random_name = makeRandomName(); $dest_file="./$folder/$random_name.$ext"; $query = "UPDATE $tablegalerie SET img='$dest_file' WHERE id='$id'"; mysql_query($query); $res_copy=@copy($file,$dest_file); @move_uploaded_file($file,$dest_file); ---------------------------------------------------------------------- Exploits : °°°°°°°°°° - To be admin : http://[target]/admin.php?loggedin=1 - To read config.php (with admin password, DB password,...) : 1) Set a cookie named "file" and with the value "config.php" on http://[target]/form.php 2) Fill the form on this form.php page (the image have to be a real image, .gif or .jpg !) 3) Submit the form 4) Go on the index, look at your file (the last registered image) 5) Read it : it's config.php. Patch : °°°°°°° A patch can be found on http://www.phpsecure.info . More Details In French : °°°°°°°°°°°°°°°°°°°°°°°° http://www.frog-man.org/tutos/TrueGalerie.txt frog-m@n _________________________________________________________________ Utilisez votre MSN Messenger via votre GSM ! http://www.fr.msn.be/gsm/servicesms/messengerparsms
This archive was generated by hypermail 2b30 : Fri Apr 25 2003 - 07:11:01 PDT