By exploitdb papers bot•January 3, 2010•

papers

Understanding Acidcat CMS 3.5 Multiple Vulnerabilities (Exploit-DB 10972)

What this paper is

This paper details multiple vulnerabilities found in Acidcat CMS version 3.5. The author, LionTurk, published this information on January 3, 2010. The primary focus is on how these vulnerabilities can be exploited to gain unauthorized access or information from a web server running this specific CMS.

Simple technical breakdown

The paper highlights two main issues:

Direct Database Access: The acidcat_3.mdb file, which likely contains the CMS's database, is accessible directly via a URL. This means an attacker can download the entire database without needing to exploit any complex code.
Install Script Exposure: The install.asp file is also exposed. This file is typically used for setting up the CMS. If it's accessible after installation, it might allow an attacker to re-run the installation process, potentially leading to configuration changes or unauthorized access.

The paper is written in ASP (Active Server Pages), a server-side scripting language.

Complete code and payload walkthrough

The provided text from the paper does not contain any executable code or shellcode. It consists of:

ASCII Art: Decorative text art at the beginning.
Informational Text: Details about the CMS, author, publication date, and related websites.
Vulnerability Descriptions (Implicit): The "Exploit And Dork" section implies the vulnerabilities by providing URLs that, if accessible, would lead to exploitation.

Let's break down the relevant parts:

==============================================================================: These lines are purely for formatting and visual separation.
ASCII Art (_ _ _ _ _ _): This is a decorative banner, not functional code.
[»] ~ Note : Forever RevengeHack.Com-Ar-Ge.Org Acildi: A message from the author, indicating the launch of their websites.
[»]Acidcat CMS v 3.5 Multi Vulnerability: A clear statement of the paper's subject.
[»] Script: [ Mini-NUKE v2.3 Freehost ]: Identifies the underlying script or framework used by Acidcat CMS. This is context, not exploitable code.
[»] Language: [ ASP ]: Specifies the programming language used by the CMS.
[»] Download: [ http://www.acidcat.com/default.asp?itemID=202&itemTitle=Download Free]: A link to download the CMS, useful for setting up a lab environment.
[»] Founder: [ LionTurk - Bylionturk@kafam1milyon.com ]: Author's name and contact information.
[»] My Home: [ RevengeHack.com and Ar-ge.Org ]: Author's associated websites.
[»]N0T3 : Yeni Aciklarimi Bekleyin.: A message in Turkish, meaning "Note: Wait for my new discoveries."
###########################################################################: More formatting.
===[ Exploit And Dork ]===: This section is crucial as it outlines the attack vectors.
- [»] http://server/[dizin]/databases/acidcat_3.mdb: This is a dork (search query pattern) or an exploit path. It suggests that the database file acidcat_3.mdb is located in a databases directory within a specific [dizin] (directory) on the web server. If this file is not protected by proper access controls, an attacker can simply navigate to this URL and download the .mdb file.
  - Code Fragment/Block: http://server/[dizin]/databases/acidcat_3.mdb
  - Practical Purpose: Direct download of the CMS database.
- [»] http://server/[dizin]/install.asp: This is another dork/exploit path. It points to the installation script. If this file is accessible after the CMS has been installed, it might allow an attacker to re-initiate the installation process. This could lead to overwriting existing configurations, creating new administrative accounts, or potentially executing arbitrary code depending on how the installation script handles re-runs.
  - Code Fragment/Block: http://server/[dizin]/install.asp
  - Practical Purpose: Potential re-installation or manipulation of CMS configuration.
[»] Powered by Acidcat CMS v 3.5.1.f: This line is likely a footer or signature found on the target website, confirming the version.
Author: LionTurk <-: Author's signature.
Bizim Asiret: ...: A list of individuals or groups the author associates with.
- Ben Ne Heykirlar Gordum site heyklicek exploiti yok.Ben Ne exploitler gordum kullancak heykir yok :D: A humorous Turkish quote, roughly translating to "I've seen great people, but their sites don't have exploits. I've seen great exploits, but no one to use them :D".

In summary, there is no executable code or shellcode provided in this paper. The "exploit" is achieved by knowing the predictable file paths and attempting to access them directly.

Practical details for offensive operations teams

Required Access Level: No elevated access is required beyond the ability to browse the web. This is a client-side attack vector by simply navigating to specific URLs.
Lab Preconditions:
- A web server environment configured with IIS (Internet Information Services) or another web server capable of serving ASP files.
- Acidcat CMS v3.5.1.f installed on the target web server.
- The databases directory and acidcat_3.mdb file must be present and accessible via HTTP.
- The install.asp file must be present and accessible via HTTP.
- Crucially: The web server's configuration must not restrict direct access to these files (e.g., via file permissions, IIS request filtering, or application-level access control).
Tooling Assumptions:
- Web Browser: For direct access to the URLs.
- HTTP Client (e.g., curl, wget): For scripting downloads of the database file.
- Database Viewer: Microsoft Access or a compatible tool to open and analyze .mdb files.
- Directory Brute-forcing Tools (Optional): If the exact [dizin] is unknown, tools like DirBuster, Gobuster, or Ffuf could be used to discover common CMS directory names.
Execution Pitfalls:
- File Not Found (404): The most common failure point. The files might be in a different location, renamed, or protected by the server.
- Access Denied (403): The server might explicitly deny access to these files even if they exist.
- CMS Version Mismatch: The exploit relies on a specific version (3.5.1.f). If the target is a different version, the file paths or vulnerabilities might not exist.
- Database Encryption/Obfuscation: Even if the .mdb file is downloaded, its contents might be encrypted or otherwise protected, rendering it useless without further steps (which are not detailed in this paper).
- install.asp Security: The install.asp script might have checks to prevent re-installation on an already configured system.
Expected Telemetry:
- Web Server Logs:
  - HTTP GET requests to /databases/acidcat_3.mdb.
  - HTTP GET requests to /install.asp.
  - Successful (200 OK) or failed (403 Forbidden, 404 Not Found) responses for these requests.
  - Potentially large download sizes if acidcat_3.mdb is successfully retrieved.
- Network Traffic: Direct transfer of the .mdb file from the server to the attacker's machine.

Where this was used and when

This exploit targets Acidcat CMS v3.5.1.f. Given the publication date of January 3, 2010, this vulnerability would have been relevant around that time. It's likely that websites using this specific version of Acidcat CMS were vulnerable. The "dork" nature of the exploit suggests it could be found using search engines configured with specific search operators (though not explicitly detailed in the paper).

Defensive lessons for modern teams

Secure File Permissions: Ensure that sensitive files, especially database files and installation scripts, are not directly accessible via HTTP. Use server-side access controls and file system permissions to restrict access.
Configuration Management: Regularly review web server configurations to prevent accidental exposure of sensitive directories and files.
Patch Management: Keep CMS and all web application components updated to the latest versions to mitigate known vulnerabilities.
Web Application Firewalls (WAFs): Implement WAFs to detect and block common attack patterns, including attempts to access sensitive files.
Regular Security Audits: Conduct periodic security audits and vulnerability assessments of web applications to identify and remediate such issues proactively.
Minimize Exposed Functionality: Remove or disable installation scripts and other administrative interfaces once the application is deployed and configured.

ASCII visual (if applicable)

This paper describes a direct file access vulnerability, which is a simple path traversal/exposure. A visual representation would be straightforward:

+-----------------+      +-----------------+      +-----------------+
| Attacker Machine| ---> |  Web Server     | ---> |  CMS Filesystem |
| (Browser/Tool)  |      | (IIS/Apache)    |      |                 |
+-----------------+      +-------+---------+      +-------+---------+
                           ^     |
                           |     | HTTP GET Request
                           |     | (e.g., /databases/acidcat_3.mdb)
                           |     v
                           |   +-----------------+
                           |   | acidcat_3.mdb   |
                           |   | (Database File) |
                           |   +-----------------+
                           |
                           +---------------------> HTTP Response (File Content)

Explanation:

The attacker sends an HTTP GET request to a specific URL on the web server.
The web server, if not properly configured, directly serves the requested file (acidcat_3.mdb or install.asp) from the CMS filesystem.
The attacker receives the file content as the HTTP response.

Source references

Paper ID: 10972
Paper Title: Acidcat CMS 3.5 - Multiple Vulnerabilities
Author: LionTurk
Published: 2010-01-03
Paper URL: https://www.exploit-db.com/papers/10972
Raw URL: https://www.exploit-db.com/raw/10972

Original Exploit-DB Content (Verbatim)

==============================================================================  

                      _      _       _          _      _   _  

                     / \    | |     | |        / \    | | | |  

                    / _ \   | |     | |       / _ \   | |_| |  

                   / ___ \  | |___  | |___   / ___ \  |  _  |  

                  /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|  

   

   

==============================================================================  

        [»] ~ Note : Forever RevengeHack.Com-Ar-Ge.Org Acildi

==============================================================================  

        [»]Acidcat CMS v 3.5  Multi Vulnerability 

==============================================================================  

   

    [»] Script:             [  Mini-NUKE v2.3 Freehost  ]  

    [»] Language:           [ ASP ]  

    [»] Download:           [ http://www.acidcat.com/default.asp?itemID=202&itemTitle=Download Free] 

    [»] Founder:            [ LionTurk -  Bylionturk@kafam1milyon.com }

    [»] My Home:            [ RevengeHack.com and Ar-ge.Org ]  

    [»]N0T3    :             Yeni Aciklarimi Bekleyin.


###########################################################################  

   

===[ Exploit And Dork  ]===  

   

  [»] http://server/[dizin]/databases/acidcat_3.mdb

  [»] http://server/[dizin]/install.asp


 


  [»] Powered by Acidcat CMS v 3.5.1.f
 




Author:  LionTurk <-  

Bizim Asiret: eXceptioN,CodeInside,CristaL1o,Hack3ra,eXtReMe,By_HKC,TerrorZveng

                 

- Ben Ne Heykirlar Gordum  site heyklicek exploiti yok.Ben Ne exploitler gordum kullancak heykir yok :D

                                 


###########################################################################