I want to blog regularly so I decided to publish a vulnerability we’ve found before. Before starting, I would mention that the bug exists on MachForm, a commercial form maker. Further information it can be found here. The vulnerability affected version 2, whereas I’m sure there will be much on updated versions as well. Here I’m giving details of the hole making a hacker to upload a shell script on remote machine.
In beginning, the hacker must aim view.php located at the root of site, observing the lines inside of mentioned file would be a big lead to disclosure of vulnerability:
$input_array = ap_sanitize_input($_POST);
$submit_result = process_form($input_array);
These two lines have functions leading to have both MySQL injection and Arbitrary file upload vulnerability. I’m not going to audit codes, I may just illustrate the attack started by applying brute-force procedure on ID parameter so as to find a form consisting file upload form, it can be achieved by any program, I just issued a Linux command helped me find it properly:
Afterwards, an HTML element followed by “for=”(.*)” must be specified, picture below gives better concept:
All have to be done is uploading PHP shell, and trying to find its name on server. The file will be uploaded in the path:
http://target.com/data/form_[ID]/[element name]-[mysql_insert_id()].php
In URL above, [ID] is gathered in brute-force phase, [element name] is gathered by viewing HTML source, and [mysql_insert_id()] should be brute-forced again. Being relatively difficult, I’ve recorded a clip demonstrating what I’ve said:
http://y-shahinzadeh.ir/tutorial/machform.rar
Also view.php is prone to MySQL injection and Cross site scripting after finding the HTML elements, as a case in point (Post to vew.php):
element_1=1&element_2='&element_3=1&form_id=11&submit=1 element_1=1&element_2='"()&%1<ScRiPt >prompt(949236)</ScRiPt>&element_3=1&form_id=11&submit=Enviar
The file uploading issue resulted from these piece of code (post-functions.php):
... ... if(!empty($uploaded_files)){ foreach ($uploaded_files as $element_name){ if(empty($form_review)){ //move file and check for invalid file $destination_file = $input['machform_data_path'].DATA_DIR."/form_{$form_id}/files/{$element_name}-{$record_insert_id}-{$_FILES[$element_name]['name']}"; if (move_uploaded_file($_FILES[$element_name]['tmp_name'], $destination_file)) { $filename = mysql_real_escape_string($_FILES[$element_name]['name']); $query = "update ap_form_{$form_id} set $element_name='{$element_name}-{$record_insert_id}-{$filename}' where id='$record_insert_id'"; do_query($query); } }else{ //for form with review enabled, append .tmp suffix to all uploaded files //move file and check for invalid file $destination_file = $input['machform_data_path'].DATA_DIR."/form_{$form_id}/files/{$element_name}-{$record_insert_id}-{$_FILES[$element_name]['name']}.tmp"; if (move_uploaded_file($_FILES[$element_name]['tmp_name'], $destination_file)) { $filename = mysql_real_escape_string($_FILES[$element_name]['name']); $query = "update ap_form_{$form_id}_review set $element_name='{$element_name}-{$record_insert_id}-{$filename}' where id='$record_insert_id'"; do_query($query); } if(!empty($uploaded_file_lookup[$element_name])){ unset($uploaded_file_lookup[$element_name]); } } } } ... ...
I hope you find this update useful, thanks.