1 Topic by flyh4t

  • flyh4t
  • Administrator
  • Offline
  • Registered: 2008-10-06
  • Posts: 80

Topic: 4Images 1.7.6 Local Inclusion Vulnerability

4Images  1.7.6  Local Inclusion Vulnerability
BY Flyh4t
/***********************************************************/
4images - Image Gallery Management System  V1.7.6  Local Inclusion Vulnerability

Author :     Flyh4t
msn :     flyh4t@hotmail.com
team:     Wolves Security Team
site:        bbs.wolvez.org
Greet to : q1ur3n  puret_t  make0day  and all the members of Wolves Security Team
/***********************************************************/
Bug file : global.php
if (isset($HTTP_GET_VARS['l']) || isset($HTTP_POST_VARS['l'])) {
  $requested_l = (isset($HTTP_GET_VARS['l'])) ? trim($HTTP_GET_VARS['l']) : trim($HTTP_POST_VARS['l']);
  if ($requested_l != $config['language_dir'] && file_exists(ROOT_PATH.'lang/'.$requested_l.'/main.php')) {
    $l = $requested_l;
    $config['language_dir'] = $l;
  }
}

include_once(ROOT_PATH.'lang/'.$config['language_dir'].'/main.php');

/***********************************************************/
global.php is included by all the files of 4images,so it can be exploited through many files


/***********************************************************/

Quote Post 1

2 Reply by q1ur3n

  • q1ur3n
  • Administrator
  • Offline
  • Registered: 2008-10-05
  • Posts: 50

Re: 4Images 1.7.6 Local Inclusion Vulnerability

嗯 还可以采用包含日志的方法...

Quote Post 2

3 Reply by toby57

  • toby57
  • Guest

Re: 4Images 1.7.6 Local Inclusion Vulnerability

呃……就怕开了GPC...^_^

Quote Post 3

4 Reply by flyh4t

  • flyh4t
  • Administrator
  • Offline
  • Registered: 2008-10-06
  • Posts: 80

Re: 4Images 1.7.6 Local Inclusion Vulnerability

toby57 wrote:

呃……就怕开了GPC...^_^


if (get_magic_quotes_gpc() == 0) { $HTTP_GET_VARS =addslashes_array($HTTP_GET_VARS); $HTTP_POST_VARS =addslashes_array($HTTP_POST_VARS); $HTTP_COOKIE_VARS =addslashes_array($HTTP_COOKIE_VARS); }

我犯了一个错误,sorry

这个貌似关了gpc也不能用%00截断 :)

不过可以用一个思路,比如在linux下,可以通过旁注拿个shell,然后写个main.php到/tmp目录下,然后包含之

Quote Post 4

5 Reply by q1ur3n

  • q1ur3n
  • Administrator
  • Offline
  • Registered: 2008-10-05
  • Posts: 50

Re: 4Images 1.7.6 Local Inclusion Vulnerability

http://bbs.wolvez.org/topic/22/

Quote Post 5