jQuery Uploadify 2.1.0 – Arbitrary File Upload

• Exploit Database
• 11 阅读

• 作者： k4cp3r/Ablus
  日期： 2010-01-21
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/11218/

• # Exploit Title: jQuery uploadify v2.1.0 Remote File Upload
  # Date: 21/01/2010
  # Author: k4cp3r/Ablus
  # Version: v2.1.0
  
  
  
  (uploadify.swf) Actionscript:
  
  function setAllowedTypes():void {
  	allowedTypes = [];
  	if (param.fileDesc && param.fileExt) {
  		var fileDescs:Array = param.fileDesc.split('|');
  		var fileExts:Array = param.fileExt.split('|');
  		for (var n = 0; n < fileDescs.length; n++) {
  			allowedTypes.push(new FileFilter(fileDescs[n], fileExts[n]));
  		}
  	}
  }
  setAllowedTypes();
  
  The FileFilter class is used to indicate what files on the user's system are shown in the file-browsing dialog box that is displayed when the FileReference.browse() method; a user can simply bypass this filter by writing the malicious file name and path on the file browser dialog box rather than navigating and choosing it.
  
  Exploit:
  
  #1 : upload your file ie (shell.php)
  #2 : Retreive the 'folder' parameter passed to uploadify jquery function
  	 from the head of the page source code ie('folder': 'files/',)
  #3 : Navigate to your file ie(http://site/files/shell.php)
  
  Fix:
  
  A quick fix is to validate your file type inside uploadify.php before saving it
  OR to randomize your file names :)
  
  
  Greetz to all Al Akhawayn friends