/*==========================================*/ //how to trick cms avatar upload //exemple for : RunCms (PoC) //Bug : avatar/php-shell upload //Product: RunCms //URL: http://www.runcms.org/ //RISK: hight /*==========================================*/ you can upload a crafted picture on most of cms . there's actually one protection agains that: it's to reconvert the picture name uploaded ( see = http://us3.php.net/manual/en/features.file-upload.php ) so the picture called picture.jpg will be renamed has 12d32f2jk25r543jk2ljn543.jpg now on a webserver , a script is called & executed with the extension , so if you rename & upload a crafted picture , like this : http://site.com/script.php.jpg you will get the php code in the picture executed .(if there's some php code in the crafted picture) the reverse ( http://site.jpg.php ) will never work , it's usually because the avatar upload filter look for the last extension. so now we need to trick the upload filter , if you do a simple php script named "script.php" ,it will never work , our goal is to trick the avatar filter , so we need a reel picture . then you need to take a good file editor , like: notepad++ (you can take whatever picture , and edit it without destroying it .) we need to put some php code AFTER the picture code . when it's done , try the picture if it still work , if yes , we are ok :). here's an exemple of a crafted picture : http://s-a-p.ca/release/sp.php.zip just upload the picture has your avatar , for Runcms and do a right click ===> property , on your avatar , look at the link , and call it with firefox , opera , safary , etc , once this is done you have a php backdoor uploaded in . usually in: http://site.com/[runcms_path]/images/avatar/sp.php.jpg ps:this doesn't work with IE . regards , securfrog@xxxxxxxxx
![http://site.com/[runcms_path]/images/avatar/sp.php.jpg](http://site.com/[runcms_path]/images/avatar/sp.php.jpg){kind=link}
