local file inclusion through cookie = remote cmd xctn
Brought to you by:
yeochins
Menu
▾
▴
#1 local file inclusion through cookie = remote cmd xctn
/*
tested software:
http://sourceforge.net/project/showfiles.php?group_id=71894
description: "Php-ZeroNet is a script comprised of php
allowing webmasters to start a online community.
Php-ZeroNet features Content Management, News posting,
User CP, interactive sytem, etc. Php-ZeroNet uses a
wide range of different cases in its script, it can adapt."
vulnerable code in function.php at lines 34-44:
...
if (isset($_COOKIE['specifiedlayout'])) {
//well it seems that the cookie to the layout that
the user wants to see exists so display it
$defaultlayout = $_COOKIE['specifiedlayout'];
$result = $DB->query ("SELECT SiteName FROM
preferences");
list($sitename) = $DB->getrow($result);
} else {
//well it doesnt seem to exist so get the normal
defaultlayout
$result = $DB->query ("SELECT
SiteName,defaultlayout FROM preferences");
list($sitename, $defaultlayout) = $DB->getrow($result);
}
require("themes/$defaultlayout/index.php");
...
if magic quotes off we can include local file through
$defaultlayout
which is set by COOKIE['specifiedlayout']
this can be exploited by web browser however here is my POC
*/
POC exploit