Presentation is loading. Please wait.

Presentation is loading. Please wait.

0day OuTian OuTian Joomla 1.0/1.5beta2 (latest) upload file mishandling vulnerability.

Published byKory Wilcox Modified over 8 years ago

Similar presentations

Presentation on theme: "0day OuTian OuTian Joomla 1.0/1.5beta2 (latest) upload file mishandling vulnerability."— Presentation transcript:

1 0day OuTian OuTian Joomla 1.0/1.5beta2 (latest) upload file mishandling vulnerability

2   Apache + php   Set php file handling   AddHandler   Proper upload handler example   Joomla 1.0 、 Joomla 1.5 beta2 (latest)   Demo   Live demo Agenda

3   Famous Web Application Platform   Works on Most of OS   Windows   Linux   FreeBSD   SunOS  ... others. Apache + PHP

4 Set php file handling  Set(In|Out)putfilter  SetOutputFilter PHP  SetInputFilter PHP  AddType  AddType application/x-httpd-php.php  AddHandler  AddHandler php5-script.php  Default used in Fedora Core 4 ~ 7 CentOS 5.0 ( RHEL ? Other Clone ? )

5 AddHandler  Problem  *.php.* will be processed by php engine  When upload  *.php.gif  *.php.bmp  *.php.jpg  *.php.tgz  *.php.123456 ...

6 Example

7 Proper upload handler example  When upload 『 ox.php.gif 』  Discuz Forum rename to 『 date_{MD5}.gif 』  gallery 1 / gallery 2 rename to 『 ox_php.gif 』  lifetype blog rename to 『 X-X.gif 』  wordpress blog rename to 『 oxphp.gif 』  xoops rename to 『 imgXXXXXXXX.gif 』

8 Joomla  CMS (Content Management System ), just like XOOPS  use php + mysql  combine with gallery/blog/forum/... etc  Official website : http://www.joomla.org/ http://www.joomla.org/  Taiwan website : http://www.joomla.org.tw/ http://www.joomla.org.tw/

9 Exploitation  login  Upload a file with filename containing ".php.", with malicious code  ex: ox.php.gif  launch file from browser  http://host/path/images/ox.php.gif  Do anything  ex: webshell

10 Local Demo

11 Live Demo

12 www.joomla.org.tw

13 $ nc www.joomla.org.tw 80 HEAD / HTTP/1.0 Host: www.joomla.org.tw HTTP/1.1 200 OK Server: Apache/2.2.2 (Fedora) X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html; charset=utf-8

Download ppt "0day OuTian OuTian Joomla 1.0/1.5beta2 (latest) upload file mishandling vulnerability."

Similar presentations

WordPress Installation for Beginners Sheila Bergman

WordPress Installation for Beginners Sheila Bergman
Selected Topics Dr Yi Zhou

Selected Topics Dr Yi Zhou
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
Content Management, Working with WordPress Pavel Ivanov Telerik Corporation www.telerik.com.

Content Management, Working with WordPress Pavel Ivanov Telerik Corporation
HTTP HyperText Transfer Protocol. HTTP Uses TCP as its underlying transport protocol Uses port 80 Stateless protocol (i.e. HTTP Server maintains no information.

HTTP HyperText Transfer Protocol. HTTP Uses TCP as its underlying transport protocol Uses port 80 Stateless protocol (i.e. HTTP Server maintains no information.
Install WordPress with Xampp. By www.00397.com With Thanks to: Rupesh Kumar.

Install WordPress with Xampp. By With Thanks to: Rupesh Kumar.
Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.

Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.
Content Management, Working with WordPress Svetlin Nakov Telerik Corporation www.telerik.com.

Content Management, Working with WordPress Svetlin Nakov Telerik Corporation
5 Days Open Source Workshop Zencart – Wordpress – Joomla Welcome Day 3.

5 Days Open Source Workshop Zencart – Wordpress – Joomla Welcome Day 3.
Chapter 13 Web Application Infrastructure. Objectives Explain the components and purpose of a web application platform Describe several common webapp.

Chapter 13 Web Application Infrastructure. Objectives Explain the components and purpose of a web application platform Describe several common webapp.
Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
WHAT IS PHP PHP is an HTML-embedded scripting language primarily used for dynamic Web applications.

WHAT IS PHP PHP is an HTML-embedded scripting language primarily used for dynamic Web applications.
PHP and MySQL Week#1  Course Plan.  Introduction to Dynamic Web Content.  Setting Up Development Server Eng. Mohamed Ahmed Black 1.

PHP and MySQL Week#1  Course Plan.  Introduction to Dynamic Web Content.  Setting Up Development Server Eng. Mohamed Ahmed Black 1.
Building Library Web Site Using Drupal

Building Library Web Site Using Drupal
Joomla!. What is Joomla! Joomla! is the largest Open Source Content Management System (CMS) for publishing on the World Wide Web Using a CMS allows non-technical.

Joomla!. What is Joomla! Joomla! is the largest Open Source Content Management System (CMS) for publishing on the World Wide Web Using a CMS allows non-technical.
Content Management Systems AN INTRODUCTION. Learning Objectives To know what a Content Management System is Have an understanding of the different types.

Content Management Systems AN INTRODUCTION. Learning Objectives To know what a Content Management System is Have an understanding of the different types.
Charels Content management system A content management system (CMS) [1][2][3] is a computer program that allows publishing, editing and modifying.

Charels Content management system A content management system (CMS) [1][2][3] is a computer program that allows publishing, editing and modifying.
Creating a Web Presence Introduction to WordPress Week 1.

Creating a Web Presence Introduction to WordPress Week 1.
Web Server Configuration Alokes Chattopadhyay Computer & Informatics Centre IIT Kharagpur.

Web Server Configuration Alokes Chattopadhyay Computer & Informatics Centre IIT Kharagpur.
WordPress Web. WordPress Blogging system with full content management Personal publishing system Built on PHP scripting language and MySQL relational.

WordPress Web. WordPress Blogging system with full content management Personal publishing system Built on PHP scripting language and MySQL relational.

Similar presentations

Ads by Google