Owning the Site
During the review of the New Website Update feature, I also noticed a small form box at the bottom of the page labeled "upload." I suspected that this was to allow the client to upload an image or document to the server for further review, but wondered if it would also accept other files, such as PHP scripts and the like. To test this out, I created a test.php file with a basic echo command and uploaded it to the server. Using the View Pending Updates option, I took a look to see where this file was uploaded (as illustrated in Figure 4) and clicked on the link. Sure enough, my PHP file executed.
Figure 4: Update screen window
At this point the options were endless. If I could upload a script, I could own the server. However, I took the simple non-intrusive non-exploit road and used a PHP script called PHP-Terminal, which is basically an emulator that gives the user "shell" access via a web browser. The limitations were only that the access is the same as the web application, thus I couldn’t add users and the like. However, my target was the application — not the server.
Once I uploaded this file (after making a few changes to the PHP code), I was granted access to the server. I changed directory up a few levels, listed the contents of the directory, and noticed that there were a lot more files than just the ones I had used (see Figure 5). I tried to load a few of them in the browser and received permission error messages on most, but then I hit paydirt — create_admin.php. Figure 6 illustrates what I had found.
Figure 5: PHP-Terminal
Figure 6: Create_admin.php windows
That's right. I had found a file that allowed me to create an administrator, which I tested and was happy to learn that it worked. Using my new credentials I logged in and found I had full control over the application. Figure 7 shows the administrator screen.
Figure 7: Administration area screen