Bugtraq mailing list archives
Re: Doubt in MySQL Quick Admin <= 1.5.5 (COOKIE) Local File Inclusion Vulnerability POC posted on milworm
From: g30rg3_x <g30rg3x () gmail com>
Date: Fri, 17 Oct 2008 11:30:38 -0500
Hi, It will only work if php have magic_quotes_gpc off... For testing/research purpose you can emulated that enviroment using stripslashes in your vuln code: <?php include("lang/".stripslashes($_GET[filename])."/lang.php"); ?> And then call for the LFI GET /vulnerable php?filename=../../../../../../../../../../etc/passwd%00 Reference: http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc Regards 2008/10/17 <vinodsharma.mimit () gmail com>
Greetings All, I am trying to reproduce the issue, but php is reporting some error: like fail to open lang/../../../../../../../../../../etc/passwd%00; path=//lang.php. vulnerable code is: include("lang/".$_SESSION['language']."/lang.php"); exploit is: ../../../../../../../../../../etc/passwd%00; path=/ as the value of vulnerable paramter. exploit link is:http://milw0rm.com/exploits/6641 After observing this error i thought there must some issue with the application, so created a vulnerable php program whose details are: <?php include("lang/".$_GET[filename]."/lang.php"); ?> Then i send a GET a request: GET /vulnerable php?filename=lang/../../../../../../../../../../etc/passwd%00; path=/ still, i am observing same error. This is happening because inside include function, there is an additon of /lang.php after the vulnerable parameter value in both case. I am not able to understand how the author manage to view the contents of /etc/passwd by this method. please help me out. Thanks in advance.
-- _________________________ g30rg3_x
Current thread:
- Doubt in MySQL Quick Admin <= 1.5.5 (COOKIE) Local File Inclusion Vulnerability POC posted on milworm vinodsharma . mimit (Oct 17)
- Message not available
- Re: Doubt in MySQL Quick Admin <= 1.5.5 (COOKIE) Local File Inclusion Vulnerability POC posted on milworm g30rg3_x (Oct 17)
- Message not available