Social Engine 4.x (Music Plugin) Arbitrary File Upload Vulnerability

Quote:###########################################################################
# Exploit Title: Social Engine 4.x (Music Plugin) Arbitrary File Upload
# Google Dork: inurl:"user/auth/forgot"
# Date: 22/12/2010
# Author: MyDoom ( Moroccan Hacker )
# Contact: MyDoom2009@gmail.com
# Software Link: http://http://www.socialengine.net
# Version: Social Engine 4.x (should work on previous versions but no tested)
# Tested on: Windows 7 - Linux 3.6.33 2010 - Linux 3.6.18 2010 -
Windows Server 2003
# Greetz to : ALBoraaq Hackers ;) - Especially T3es
###########################################################################

Vulnerable Javascript Source Code:

window.addEvent('domready', function() { // wait for the content

...snip...

// remove that line to select all files, or edit it, add more items
typeFilter: {
'Music (*.mp3,*.m4a,*.aac,*.mp4)': '*.mp3; *.m4a; *.aac; *.mp4'
},

Description:

The File filter used in the code don't check the uploaded file but
only set the type of files that can be veiwed in the upload window
so if we type *.* in the filename we will see all others file and
then we can upload any type of file.

Exploit:

[~] Step 1 : Find A social network using the Social Engine with MUSIC PLUGIN

[~] Step 2: Register A Fake Account

[~] Step 3: Click On Music Link in the menu or go to http://www.xxxx.com/music

[~] Step 4: Click On Upload Music And Then Fill the Playlist info

[~] Step 5: Click On Add Music And Select The php file ( If you can
see php file in the upload window type *.* in the file name )

[~] Step 6: And Click on save music to playlist

[~] Step 7: You Will See the Music Player Move the Cursor on the php
filename and copy the link of the shell.

Generaly it will be :
http://www.xxx.com/public/music_song/1000000/[numbers]/[user_id]/[some_numbers].php

ini salah satu waktu ane pas godam 1malaysia.com
sekarang kita kan dah damai ama malaysia jadi jangan ditest lagi ya ngegodam 1malaysia.com kalau seandainya servernya dah up lagi.

shell ane di 1malaysia.com
http://1malaysia.com/public/b374k.php

tapi di 1malaysia.com ada 2 bug yang bisa dimasukin, ne ane share bug yang satu ne dl ya...yang keduanya menyusul.

refrensi
http://www.exploit-db.com/exploits/15830/

[chaer.newbie]

ga bagus tutorialnya

[n0wn]

waw,,

om2 diatas hacker semua,,

[Matmund Newbie]

(02-15-2011 12:18 PM)chaer.newbie Wrote:  ga bagus tutorialnya

Iya gak bagus.. cuma copas doank........

[PrOReBeLL]

(02-15-2011 12:18 PM)chaer.newbie Wrote:  ga bagus tutorialnya

iya nih
ga bagus tutnya..
coba kalo di tambahi bumbu2 Poc ganteng dkit

ente pasti heker ya om ?

[badwolves1986 [RJ]]

wah di atas ane pasti hacker semua nie,....

gak bagus2 ..langsung pada testing ne dorkny..wkwkkkwkkw

[Matmund Newbie]

(02-15-2011 12:54 PM)supermenganteng Wrote:  gak bagus2 ..langsung pada testing ne dorkny..wkwkkkwkkw

yg ke index ma google dah di bantai smua'a........ =))

[PrOReBeLL]

nah gini om, ane coba test langsung dsni
http://www.onesenegal.com/
nah ane udah daftar, lalu msuk ke directory music
nah dsna ane coba upload dari add music nya
tapi ada warning seperti ini : 404.php {"viewer":{},"viewer_id":68,"status":false,"message":"Invalid file type"}
nah kira2 itu gmna ?

kalau berhasil ane bsa manggil shellnya dmna om ? mohon pencerahan... hehehe

[patriot]

klo dagh selesai upload music (shell). Cara memanggil shell yg sudah di pasang...klik tab "my music" aja mas bro. nanti disitu ada list music2 ente. trs cara melihat direktori url penyimpanan tgl klik kanan "View Image Info"

Soktau.com
xixiii....