0day OuTian OuTian Joomla 1.0/1.5beta2 (latest) upload file mishandling vulnerability.
-
Upload
kory-wilcox -
Category
Documents
-
view
219 -
download
1
Transcript of 0day OuTian OuTian Joomla 1.0/1.5beta2 (latest) upload file mishandling vulnerability.
![Page 1: 0day OuTian OuTian Joomla 1.0/1.5beta2 (latest) upload file mishandling vulnerability.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b153d5/html5/thumbnails/1.jpg)
0day0day
OuTian < [email protected] >OuTian < [email protected] >
Joomla 1.0/1.5beta2 (latest)Joomla 1.0/1.5beta2 (latest)upload file mishandling vulnerabilityupload file mishandling vulnerability
![Page 2: 0day OuTian OuTian Joomla 1.0/1.5beta2 (latest) upload file mishandling vulnerability.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b153d5/html5/thumbnails/2.jpg)
Apache + php Set php file handling AddHandler Proper upload handler example Joomla 1.0 、 Joomla 1.5 beta2 (latest) Demo Live demo
AgendaAgenda
![Page 3: 0day OuTian OuTian Joomla 1.0/1.5beta2 (latest) upload file mishandling vulnerability.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b153d5/html5/thumbnails/3.jpg)
Famous Web Application Platform Works on Most of OS
Windows Linux FreeBSD SunOS ... others.
Apache + PHPApache + PHP
![Page 4: 0day OuTian OuTian Joomla 1.0/1.5beta2 (latest) upload file mishandling vulnerability.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b153d5/html5/thumbnails/4.jpg)
Set php file handlingSet php file handling Set(In|Out)putfilter
SetOutputFilter PHP SetInputFilter PHP
AddType AddType application/x-httpd-php .php
AddHandler AddHandler php5-script .php Default used in
Fedora Core 4 ~ 7 CentOS 5.0 ( RHEL ? Other Clone ? )
![Page 5: 0day OuTian OuTian Joomla 1.0/1.5beta2 (latest) upload file mishandling vulnerability.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b153d5/html5/thumbnails/5.jpg)
AddHandlerAddHandler Problem
*.php.* will be processed by php engine
When upload *.php.gif *.php.bmp *.php.jpg *.php.tgz *.php.123456 ...
![Page 6: 0day OuTian OuTian Joomla 1.0/1.5beta2 (latest) upload file mishandling vulnerability.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b153d5/html5/thumbnails/6.jpg)
ExampleExample
![Page 7: 0day OuTian OuTian Joomla 1.0/1.5beta2 (latest) upload file mishandling vulnerability.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b153d5/html5/thumbnails/7.jpg)
Proper upload handler exampleProper upload handler example When upload 『 ox.php.gif 』
Discuz Forum rename to 『 date_{MD5}.gif 』
gallery 1 / gallery 2 rename to 『 ox_php.gif 』
lifetype blog rename to 『 X-X.gif 』
wordpress blog rename to 『 oxphp.gif 』
xoops rename to 『 imgXXXXXXXX.gif 』
![Page 8: 0day OuTian OuTian Joomla 1.0/1.5beta2 (latest) upload file mishandling vulnerability.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b153d5/html5/thumbnails/8.jpg)
JoomlaJoomla
CMS (Content Management System ) , just like XOOPS
use php + mysql combine with gallery/blog/forum/ ... etc
Official website :http://www.joomla.org/
Taiwan website : http://www.joomla.org.tw/
![Page 9: 0day OuTian OuTian Joomla 1.0/1.5beta2 (latest) upload file mishandling vulnerability.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b153d5/html5/thumbnails/9.jpg)
ExploitationExploitation
login Upload a file with filename containing
".php." , with malicious code ex: ox.php.gif
launch file from browser http://host/path/images/ox.php.gif
Do anything ex: webshell
![Page 10: 0day OuTian OuTian Joomla 1.0/1.5beta2 (latest) upload file mishandling vulnerability.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b153d5/html5/thumbnails/10.jpg)
Local DemoLocal Demo
![Page 11: 0day OuTian OuTian Joomla 1.0/1.5beta2 (latest) upload file mishandling vulnerability.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b153d5/html5/thumbnails/11.jpg)
Live DemoLive Demo
![Page 12: 0day OuTian OuTian Joomla 1.0/1.5beta2 (latest) upload file mishandling vulnerability.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b153d5/html5/thumbnails/12.jpg)
www.joomla.org.twwww.joomla.org.tw
![Page 13: 0day OuTian OuTian Joomla 1.0/1.5beta2 (latest) upload file mishandling vulnerability.](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e265503460f94b153d5/html5/thumbnails/13.jpg)
Live DemoLive Demo$ nc www.joomla.org.tw 80HEAD / HTTP/1.0Host: www.joomla.org.tw
HTTP/1.1 200 OKServer: Apache/2.2.2 (Fedora)X-Powered-By: PHP/5.1.6Connection: closeContent-Type: text/html; charset=utf-8