bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/42577.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

34 lines
No EOL
1.3 KiB
Text
Raw Permalink Blame History

# Exploit Title: CMS Web-Gooroo <=1.141 - Multiple Vulnerabilities
# Date: 01-06-2017
# Exploit Author: Kaimi
# Website: https://kaimi.io
# Vendor Homepage: http://web.archive.org/web/20120510194357/http://www.web-gooroo.com/
# Software Link: https://github.com/andrey-buligin/hanna/tree/master/wbg
# Version: <=1.141
# Category: webapps
1. SQL Injection
File: /wbg/core/_includes/authorization.inc.php
Vulnerable code:
$SQL_query = 'SELECT * FROM wbg_users WHERE (login=\'' . $_POST['wbg_login'] . '\') AND (password=\'' . md5(md5($_POST['wbg_password'])) . '\')';
$USER = mysql_fetch_assoc(mysql_query($SQL_query));
2. Hardcoded admin user
File: /wbg/core/_includes/authorization.inc.php
Vulnerable code:
if ((md5($_POST['wbg_login']) == '2d626704807d4c5be1b46e85c4070fec') && (md5($_POST['wbg_password']) == '2967a371178d713d3898957dd44786af')) {
$USER = $this->get_megaadmin();
}
2d626704807d4c5be1b46e85c4070fec - mayhem
2967a371178d713d3898957dd44786af - no success in bruteforce, though...
3. Full path disclosure
Almost any file, because of lack of input validation and overall bad design.
CMS log file (besides DB log) location with full path and debug info:
/wbg/tmp/logs/syslog.log.php
4. Unrestricted file upload
Can be done via admin panel as attachment to any publication. No file type checking is performed.
Reference in a new issue View git blame Copy permalink