4Images 1.7.6 Local Inclusion Vulnerability

flyh4t · 2009-02-14 22:17:36

4Images 1.7.6 Local Inclusion Vulnerability
BY Flyh4t
/***********************************************************/
4images - Image Gallery Management System V1.7.6 Local Inclusion Vulnerability

Author : Flyh4t
msn : flyh4t@hotmail.com
team: Wolves Security Team
site: bbs.wolvez.org
Greet to : q1ur3n puret_t make0day and all the members of Wolves Security Team
/***********************************************************/
Bug file : global.php
if (isset($HTTP_GET_VARS['l']) || isset($HTTP_POST_VARS['l'])) {
$requested_l = (isset($HTTP_GET_VARS['l'])) ? trim($HTTP_GET_VARS['l']) : trim($HTTP_POST_VARS['l']);
if ($requested_l != $config['language_dir'] && file_exists(ROOT_PATH.'lang/'.$requested_l.'/main.php')) {
$l = $requested_l;
$config['language_dir'] = $l;
}
}

include_once(ROOT_PATH.'lang/'.$config['language_dir'].'/main.php');

/***********************************************************/
global.php is included by all the files of 4images,so it can be exploited through many files

/***********************************************************/

q1ur3n · 2009-02-14 22:21:30

嗯还可以采用包含日志的方法...

flyh4t · 2009-02-17 09:21:48

toby57 wrote:

呃……就怕开了GPC...^_^

if (get_magic_quotes_gpc() == 0) { $HTTP_GET_VARS =addslashes_array($HTTP_GET_VARS); $HTTP_POST_VARS =addslashes_array($HTTP_POST_VARS); $HTTP_COOKIE_VARS =addslashes_array($HTTP_COOKIE_VARS); }

我犯了一个错误，sorry

这个貌似关了gpc也不能用%00截断 :)

不过可以用一个思路，比如在linux下，可以通过旁注拿个shell，然后写个main.php到/tmp目录下，然后包含之

q1ur3n · 2009-02-17 11:25:52

http://bbs.wolvez.org/topic/22/

Wolves Security Team

Announcement

#1 2009-02-14 22:17:36

4Images 1.7.6 Local Inclusion Vulnerability

#2 2009-02-14 22:21:30

Re: 4Images 1.7.6 Local Inclusion Vulnerability

#3 2009-02-17 09:21:48

Re: 4Images 1.7.6 Local Inclusion Vulnerability

#4 2009-02-17 11:25:52

Re: 4Images 1.7.6 Local Inclusion Vulnerability

Board footer