# --------------------------------------- # # Author : L3b-r1'z # Title : Php List 2.10.9 Remote PHP Code Injection # Date : 5/25/2012 # Email : L3br1z@Gmail.com # Site : Sec4Ever.com & Exploit4arab.com # --------------------------------------- # # This PoC was written for educational purpose. Use it at your own risk. # Author will be not responsible for any damage. # --------------------------------------- # # 1) Bug # 2) PoC # --------------------------------------- # # 2) Bug : # An attacker might execute arbitrary PHP code with this vulnerability. # User tainted data is embedded into a function that compiles # PHP code on the run and #executes it thus allowing an attacker to inject own PHP code that will be # executed. This vulnerability can lead to full server compromise. # Look To The File Named (Sajax.php) In Dir (admin/commonlib/lib) On Line (63) # 63. $func_name = $_POST["rs"]; # if (! empty($_POST["rsargs"])) # $args = $_POST["rsargs"]; # else # $args = array(); # } # # if (! in_array($func_name, $sajax_export_list)) # echo "-:$func_name not callable"; # else { # echo "+:"; # 74. $result = call_user_func_array($func_name, $args); # echo $result; # } # exit; # } # So We Have Variable Func Name With Post rs :) # In Above Of Code We Have $_GET['rs']; So This Is An Attacker Wan't It. # Look To Line (74). # Call_User_Func_Array($func_name, $args); # Attacker Can Inject In Get Paramater Or POST PHP Code. # --------------------------------------- # # 3) PoC : # # --------------------------------------- # # Thx To : I-Hmx , B0X , Hacker-1420 , Damane2011 , Sec4ever , The Injector , Over-X , Ked-Ans. # --------------------------------------- #